This action might not be possible to undo. Are you sure you want to continue?
With the rapid development of computer technology and network technology, network security become more important for the aim of protects network information from variety kind of attack. In order to enable the network from a variety of possible abuse, the use of only a single feather firewall cannot meet the requirements, but also needs real-time monitoring on Networks, as far as possible to attack the intrusion before the attack happens.
Intrusion Detection System is developed and grew up against this background. As a new active securitydefensive mechanism, Intrusion Detection System can provide the host and network dynamic protection, it can not only monitor the implementation of internal network attacks, external attacks and disoperation of the real-time protection, but also in combination with other network security products to protect the network in full range. The characteristics of real-time and initiative are important complement to the firewall. Today, in the overall network security solutions, intrusion detection has become an indispensable component. However, with the continuous expansion of network scale and the complexity of the means of attack, Distributed Intrusion Detection System
Computer systems have been made increasingly secure over the past decades. However, new attacks and the spread of harmful viruses have shown that better methods must be used. One approach gaining increasing popularity in the computer community is to use Intrusion Detection Systems (IDSs). Intrusion Detection Systems identify attacks against a system or users performing illegitimate actions. Using a common analogy, having an Intrusion Detection System is like having a ”burglar alarm” in your house. The alarm will not prevent the burglar from breaking into your house, but it will detect and warn you of the problem. Following the publication of the first research in Intrusion Detection Systems, a large number of diverse applications have been developed. One method of accomplishing this type of detection is the use of file system integrity tools. When a system is compromised, an attacker will often alter certain key files to provide continued access and to prevent detection. The changes could target any portion of the system software, e.g. the kernel, libraries, log files, or other sensitive files.
DEPT. OF CSE / B.T.L.I.T 1
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS
1.1 FILE SYSTEM INTEGRITY
File system integrity checkers detect those changes and trigger a corresponding alert. To guarantee the integrity of the file system, two approaches can be followed.
The first approach is to create a secure database, which is usually composed of hashes. The stored hash will be periodically checked against a newly computed hash. This method is used with tools such as Tripwire, Aide and others
The second, more recent approach is to create digital signatures of sensitive data, such as executable files using asymmetric cryptography, and use these signatures to check the integrity of the signed file.
Both approaches have advantages and drawbacks, but they share a common flaw: the auditing relies on the validity of the operating system. All the previous applications have made the assumption that the OS itself is not corrupted. Once the operating system is compromised the intruder can easily defeat integrity tools. As an example, in the Linux operating system, redirecting system calls using kernel modules can potentially compromise the system.
Also, since the binary of the Integrity Tool resides in the machine to be audited, the attacker may be able to corrupt the binary or the configuration files of the tool. This work develops a novel way to overcome the problems of traditional Integrity Tools. Our approach is to use a Distributed Intrusion Detection System Based on Protocol Analysis, to perform the integrity detection checks.
The area of distributed computing systems provides a promising domain for applications of machine learning methods. One of the most interesting aspects of such applications is that learning algorithms that are embedded in a distributed computing infrastructure are themselves part of that infrastructure and must respect its inherent local computing constraints (e.g., constraints on bandwidth, latency, reliability, etc.), while attempting to aggregate information across the infrastructure so as to improve system performance (or, availability) in a global sense.
DEPT. OF CSE / B.T.L.I.T
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS
Consider, for example, the problem detecting anomalies in a wide-area network. While it is straightforward to embed learning algorithms at local nodes to attempt to detect node-level anomalies, these anomalies may not be indicative of network-level problems. Indeed, in recent work, demonstrated a useful role for Principal Component Analysis (PCA) to detect network anomalies. They showed that the minor components of PCA (the subspace obtained after removing the components with largest eigen values) revealed anomalies that were not detectable in any single node-level trace. While their work did not face the distributed data analysis problem (it involved centralized, off-line analysis of blocks of data), it does provide clear motivation for attempting to design a distributed PCA-based system for analyzing network anomalies in real time. The development of such a design involves facing several challenging problems that have not been addressed in previous work. Naive solutions that continuously push all data to a central analysis site simply cannot scale to large networks or massive data streams. Instead, viable solutions need to process data .in-network. To intelligently control the frequency and size of data communications.
The key underlying problem is that of developing a mathematical understanding of how to trade off quantization arising from local bandwidth restrictions against delay of the data analysis. We also need to understand how this trade off impacts overall detection accuracy. Finally, the implementation needs to be simple if it is to have impact on developers.
DEPT. OF CSE / B.T.L.I.T
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS
TRADITIONAL INTRUSION DETECTION SYSTEM
A Traditional intrusion detection system (TIDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers TIDS to produce an alarm. False Positive: An event signaling TIDS to produce an alarm when no attack has taken place. False Negative: A failure of TIDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive. Site policy: Guidelines within an organization that control the rules and configurations of TIDS.
DEPT. OF CSE / B.T.L.I.T
2.T 5 . but tries to access the information as an authorized user. inflict harm or engage in other malicious activities.I. Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured. Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information. Confidence value: A value an organization places on a TIDS based on past performance and analysis to help determine its ability to effectively identify an attack. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic.2. Alarm filtering: The process of categorizing attack alerts produced from a TIDS in order to distinguish false positives from actual attacks.1 Network intrusion detection system (NIDS) It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub. An authorized user with limited permissions. often in the demilitarized zone (DMZ) or at network borders. Misfeasor: They are commonly internal users and can be of two types: 1. 2. sensors are located at choke points in the network to be monitored.L. Masquerader: A user who does not have the authority to a system. network switch configured for port mirroring. OF CSE / B. An example of a NIDS is Snort. or network tap.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Site policy awareness: The ability a TIDS has to dynamically change its rules and configurations in response to changing environmental activity. there are two main types of IDS: 2.T. DEPT. A user with full permissions and who misuses their powers. They are generally outside users. In a NIDS.2 TYPES For the purpose of dealing with IT.
An IDS also watches for attacks that originate from within a system. OF CSE / B. 2. also known as an intrusion prevention system (IPS)." 2. Some application-based IDS are also part of this category. password files. The term IDPS is commonly used where this can happen automatically or at the command of an operator. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. etc. filesystem modifications (binaries. application logs.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 2.T. DEPT. systems that both "detect" (alert) and/or "prevent.I.2.4 COMPARISON WITH FIREWALLS Though they both relate to network security. the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. A system that terminates connections is called an intrusion prevention system. Intrusion detection systems can also be systemspecific using custom tools and honey pots. the intrusion detection system (IDS) sensor detects a potential security breach.2 Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls. sensors usually consist of a software agent. In a HIDS. In a reactive system.L. identifying heuristics and patterns (often known as signatures) of common computer attacks. logs the information and signals an alert on the console and or owner. capability databases. An example of a HIDS is OSSEC. Access control lists.3 PASSIVE AND/OR REACTIVE SYSTEMS In a passive system. and taking action to alert operators. an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. This is traditionally achieved by examining network communications.T 6 . and is another form of an application layer firewall.) and other host activities and state.
T 7 .I.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 2. Real-time/rear real-time analysis Analyze information sources gathered by the IDS sensor as soon as possible.2 Signature-based IDS Signature based IDS monitor’s packets in the Network and compares with preconfigured and predetermined attack patterns known as signatures.6 TRADITIONAL IDS MODEL Detection of known attacks Should have the ability to determine the malicious attackers.and alert the administrator or user when traffic is detected which is anomalous(not normal).5. High accuracy Make sure the detection is correct and lower the false alarms.5 STATISTICAL ANOMALY AND SIGNATURE BASED IDSEs All Intrusion Detection Systems use one of two detection techniques: 2.L.5. DEPT. 2. During this lag time your IDS will be unable to identify the threat. what protocols are used. what ports and devices generally connect to each other. 2. Minimal resource Use the minimal resource in the systems when monitoring.T. OF CSE / B.1 Statistical anomaly-based IDS A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used. The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat.
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 3 THE ROLES AND RELATIONSHIPS IN TIDS Hackers People who attempt to gain unauthorized access to a computer system. These people are often malicious and have many tools for breaking into a system. they have to make efforts to find out where the problem is. If a system under some attacks results IDSs alarms. Fig.1: Relationship in TIDs DEPT.T.T 8 . 3.I. and system maintenance costs.L. System Manager (SM) The person who takes charge to minimize the use of excess. network management. OF CSE / B.
Distributed Intrusion Detection System DEPT. The intrusion is a major aspect of every network and can be harmful to the entire system. Today. but also in combination with other network security products to protect the network in full range. Intrusion Detection System can provide the host and network dynamic protection It can not only monitor the implementation of internal network attacks.T 9 .L.T. Thus we need a detection system to detect the intrusion beyond their early stages of damage to the network. external attacks and disoperation of the real-time protection.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Detection System (DS) The system that monitors the events occurring in protected hosts or networks and analyze them for signs of intrusions.I. in the overall network security solutions. with the continuous expansion of network scale and the complexity of the means of attack. intrusion detection has become an indispensable component. The characteristics of real-time and initiative are important complement to the firewall. OF CSE / B. However.
Since protocol analysis technology guide the search packet clearly part of specific rather than the entire payload reducing the search space. but also on the application layer protocol decoding. Although simple patternmatching on performance is a big problem.T 10 . Using these two methods of IDS systems do not have the intelligence to determine the true intention of these models but finally the results of protocol analysis and the advantages are being here. This detection technique commonly used is a simple patternmatching technology. and high false alarm rate. but those inconsistent with normal behavior patterns of users on the case be considered aggression. Protocol decoding not only decodes on the bottom protocol. it is widely used. which use a high degree of regularity corresponding to the reported location of the first protocol to analyze information only useful for detection of the intrusion detection field. and can be detected. The key question of the anomaly detection is the establishment of normal usage patterns and how to use the model to the current system /user behavior compared with the normal in order to judge the degree of deviation from the model. good scalability. but only applied to relatively simple attacks. configuration. they are able to improve the efficiency of intrusion detection. Anomaly Detection Intrusion Detection System is the main research direction.L. Misuse detection technology is based on the known methods of intrusion attacks to match and identify attacks. detection efficiency.I.T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 4 PROTOCOL ANALYSIS TECHNOLOGY Intrusion Detection System early detection technology are misuse detection technology and anomaly detection technology commonly used. DEPT. maintenance is very convenient. because system implementation. It is characterized by simple. which is characterized by abnormal behavior of the detection system and found that unknown attack patterns. Protocol analysis is the main technology means of new generation of IDS systems to detect attacks. OF CSE / B. Anomaly detection system is user's normal pre-stored patterns of behavior.
OF CSE / B. etc. exceptions.I.2: Credit card fraud DEPT. 4. Anomalies translate to significant (often critical) real life entities – Cyber intrusions – Credit card fraud 4.T.1 ANOMALY DETECTION INTRUSION DETECTION SYSTEM • • • Anomaly is a pattern in the data that does not conform to the expected behaviour Also referred to as outliers.L.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 4.T 11 .2 REAL WORLD ANOMALIES • • Credit Card Fraud – An abnormally high purchase made on a credit card Cyber Intrusions – A web server involved in ftp traffic Fig. peculiarities. surprise.1: Cyber intrusion Fig 4.
3 KEY CHALLENGES • • • • • • • Defining a representative normal region is challenging The boundary between normal and outlying behavior is often not precise The exact notion of an outlier is different for different application domains Availability of labelled data for training/validation Malicious adversaries Data might contain noise Normal behaviour keeps evolving 4.I.T 12 .L.4 TYPE OF ANOMALY Point Anomalies.An individual data instance is anomalous w.An individual data instance is anomalous within a context.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 4.r.t. 4. the data Fig.T.3: Point Anomalies Contextual Anomalies.Requires a notion of context and also referred to as conditional anomalies. DEPT. OF CSE / B.
T. 4.I. 4. OF CSE / B.4: Contextual Anomalies Collective Anomalies-A collection of related data instances is anomalous.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Normal Anomaly Fig.5: Collective Anomalies DEPT.Requires a relationship among data instances -Sequential Data -Spatial Data -Graph Data Anomalous Subsequence Fig.T 13 .L.
but also on the application layer protocol decoding.SNMP. there are two different standards. OF CSE / B.2: Ethernet Frame Format DEPT.T.T 14 .1 Fig.3.1: Protocol Structure Ethernet MAC frame format. and the other is the IEEE standard 802. its frame format as shown in fig.L. 5. one is DIX Ethernet V2. Fig 5.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 5 THE FUNDAMENTAL STRUCTURE OF PROTOCOL Protocol decoding not only decodes on the bottom protocol. They are able to improve the efficiency of intrusion detection. 5. the upper protocol including IP. NetBUI. ARP. IPX.I. Ethernet V2 format is often used in current MAC frame.
T. indicating that part of their data using a TCP protocol. and a conversation must be built when exchange data.1. IGMP data are based on IP data transmission format. service type.2 TCP datagram Transmission Control Protocol is a reliable connection oriented transmission service.3: IP Datagram Format Protocol field accounted for 8 bit. header length.I. UDP. IP header contains the version.L. 5.1 IP datagram In the transmission protocol.3 Fig. IP datagram is divided into IP header and IP data. fragment offset. field values indicate that the data of this protocol IP datagram carries is which kind use of protocol. flag. It is using the communication of bit DEPT. 5. destination IP address. ICMP.1. OF CSE / B.T 15 . type. which is transmitted by segments. source IP address.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 5. Reference fig. TCP. 5.1 TWO IMPORTANT STAGES OF PROTOCOL ANALYSIS 5. such as protocol field value of 6. identifier. TL. header checksum. TTL.
TCP datagram is divided into TCP header and TCP data. for reliability. and confirmation number and so on as shown in fig. 5.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS stream.T. If the SYN control bit is set. Destination Port The 16-bit destination port number. that is. DEPT. the sequence number is the initial sequence number (n) and the first data byte is n+1.I. used by the receiver to reply. Acknowledgment Number If the ACK control bit is set. The header contains the source port. 5. destination port.4: TCP Segment Format Where: Source Port The 16-bit source port number.T 16 . this field contains the value of the next sequence number that the receiver is expecting to receive.L. Each TCP transmitted sequence number is specified. unstructured data as byte stream. serial number. Sequence Number The sequence number of the first data byte in this segment.3 Fig. OF CSE / B.
Reserved Six bits reserved for future use.4 Fig. SYN Synchronizes the sequence numbers. It is a pseudo-IPheader. URG Indicates that the urgent pointer field is significant in this segment. Checksum The 16-bit one's complement of the one's complement sum of all 16-bit words in a pseudo-header. The pseudo-header is the same as that used by UDP for calculating the checksum.I. only used for the checksum calculation. ACK Indicates that the acknowledgment field is significant in this segment. OF CSE / B. RST Resets the connection.L.5: Pseudo-IP Header DEPT.T 17 . Window Used in ACK segments. must be zero.T. with the format shown in fig. It specifies the number of data bytes beginning with the one indicated in the acknowledgment number field which the receiver (= the sender of this segment) is willing to accept. PSH Push function. 5. 5.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Data Offset The number of 32-bit words in the TCP header. FIN No more data from sender. It indicates where the data begins. the TCP header and the TCP data.
RST. It contains two parts: data capture module.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 6 DISTRIBUTED INTRUSION DETECTION ON PROTOCOL ANALYSIS 6. it will parse captured data its working principle is as follows: from the Ethernet frame. TCP. the frame type gives data frame included in the protocol type. such as ARP. FIN. Ethernet header length is l4 byte. DEPT. the six flags reflect the status of the TCP connection. we have only the IP(0800) protocol for further analysis. Data capture module. whose role is more simple and easy to achieve. IPX.1 DETECTOR UNIT MODEL The most important part of the system is the design and work patterns of the Detect Module based on the principle of the Protocol Analysis. protocol analysis module. RARP.T 18 . and then sent the data to the analysis part of the protocol.The major role of data capture module is to capture data on the Internet. the main contents include the following: source IP address. one of ARP/RARP are data link protocol. SYN. 8035. the type of protocol within the IP packet indicate the protocol type of IP packet load. each of which is the 6-byte destination Ethernet address.17 and 1. Where there is no select items. where there is no select items. IP header length is 20 bytes. UDP or ICMP. In the transport layer.L. the main contents include source port.I. 8l37.T. OF CSE / B. PSH. etc. fragment flag and offset. and IP and IPX are network layer protocol. their corresponding number of protocol:6. 6byte source Ethernet address and the 2-byte frame type components. and protocol type of IP load (length of one byte). destination port. Protocol analysis module. such as TCP connection is always in communication through the exchange of SYN packets to the two sides to begin to create a new connection. ACK. TCP header length is 20 bytes. destination IP address. IP. Their corresponding number of protocol: 0806. get the Ethernet header. 0800. TCP header contains six flag: URG. serial number and ACK and so on.Protocol analysis is the focus of this module. that is. flag.
I.T.L.3 Ethernet Frame Format Diagram. such as TELNET port 23. Comparing detector modules at the top of these keywords. E-MAIL.1 Ethernet Version 2 The original Ethernet Version 2 frame varies slightly from the 802. such as FTP.3 The 802. protocol analysis module extracts data packets from the application of the protocol of the protocol keyword. such as FTP at the package.2 LLC header (not shown) in the Information field.3 format of an Ethernet frame is shown on the IEEE 802. An 802. As mentioned in the previous lesson. Fig 6.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS and through the adoption of FIN . we will be able to determine whether there is network intrusion happened. 6.3 Ethernet frame format in that a Type field. you can extract the RETR (GET operation).1. and an 802.1.2: IEEE 802. STOR (PUT operation) and other protocol keywords. Fig 6.T 19 . the LLC header DSAP field indicates the protocol being carried and steers the frame to the appropriate process in the Network Layer.1: Ethernet V2 Frame Format 6. also referred to as Ethernet type. In the application layer. is used in place of the Length field (also 2 bytes). as shown on the Ethernet V2 Frame Format Diagram. TELNET. RST to terminate a connection.3 Ethernet Frame Format DEPT. EMAIL port 25 and so on. OF CSE / B. we only analyze some daily applications. After doing this protocol analysis. WWW and so on.2 Ethernet 802. contains a lot of the protocol. It has a Length field instead of a Type field. the packet types can be got according to the source port and destination port of TCP packet.3 Length field will always have a value of less than 0x0600.
the 01A6 is an example of a valid 802.L.1Q tag follows the standard MAC header in Ethernet frames. the LLC header would follow in the Information field. it is now possible to mix vendor switch equipment and have the VLANs interoperate. the canonical format indicator (CFI). followed by the LLC header as the first part of the Information field.T. If not using LLC. the 2 bytes after the VLAN tag will be 0x0800.3 length.I. This concept is illustrated on the 802.1Q VLAN Frames With the establishment of the 802. if this is an 802.T 20 . 802. That is. The VLAN-tag format uses the next 2 bytes after the 0x8100 Type field for the VLAN tag. The 802. Fig 6. If the frame is VLAN-tagged. the 2 bytes following the VLAN tag would be a Length field. indicating IP is being carried. When using LLC.1Q VLAN standard. the Type field contains a value of 0x8100.4: Type-Encoded Frame Format DEPT.1Q Length-Encoded Frame Format Diagram.3 Length field or Version 2 Type value that the frame would have carried had it not been tagged.1. That is. Another way of looking at this is that Ethernet frames have either a Length or a Type field. the field is Type-encoded. the field is Length-encoded. Following the VLAN tag would be the original 802. OF CSE / B. These 16 bits contain the 3-bit frame priority. and the 12-bit VLAN ID. frames travelling from switch-to-switch between VLANs carry VLAN membership information that all equipment meeting the standard recognize. If the original frame was Length-encoded.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 6.3: Length-Encoded Frame Format If Type-encoded: 8100 0020 0800--The 0800h is in the Type field. This concept is illustrated on the 802. If Length-encoded: 8100 0020 01A6--The 8100h and 0020h are the 4 additional VLAN bytes.1Q-tagged Type-encoded frame carrying IP.1Q Type-Encoded Frame Format Diagram.3. Fig 6.
an attacker will often alter certain key files to provide continued access and to prevent detection. individual intrusion detection system has been unable to deal with complex security issues. setting up a process module to deal with the keyword data carried from intrusion detection system agent. Internet data on the Detect Module and the Process Module can arrives at a user computer after the detection.T 21 . Computer systems have been made increasingly secure over the past decades. the kernel. The alarm will not prevent the burglar from breaking into your house.L. After the network intrusion detection Process Module set the signal of the intrusion to Response Module to alarm the user. Intrusion Detection Systems identify attacks against a system or users performing illegitimate actions. e. Using a common analogy. the relationship between the various modules shown in Figure 6.g.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 6. as the intrusion has become more and more complex. or other sensitive files. this is the Distributed Intrusion Detection System. OF CSE / B. This system is divided into Detect Module. but it will detect and warn you of the problem.2 DISTRIBUTED INTRUSION DETECTION SYSTEM MODEL Although the Intrusion Detection System can identify non authorized use. One approach gaining increasing popularity in the computer community is to use Intrusion Detection Systems (IDSs). When a system is compromised. abuse or computer and network systems of misuse. doing comprehensive analysis. a large number of diverse applications have been developed.I. new attacks and the spread of harmful viruses have shown that better methods must be used. Detect Module and Process Module make up a complete intrusion detection system.5 In this model.T. Each detection module is a micro-data analysis system. having an Intrusion Detection System is like having a ”burglar alarm” in your house. Process Module and Response Module. One method of accomplishing this type of detection is the use of file system integrity tools. they will get through the analysis of data reported through the High speed link to send to process module. Following the publication of the first research in Intrusion Detection Systems. DEPT. log files. In the Response Module to determine whether there is intrusion. The changes could target any portion of the system software. to determine whether the attack happens. So putting a number of intrusion detection system agent on the network. libraries. However.
if we find the matching of string of arrived words with the rules of rule. Process Module contains a rule base.I. 6.5: Model of Distributed Intrusion Detection System. as well as to advise users the attack means and the aim of being attacked. there is the keyword set of current often intrusion mode.Detect Module will send the keywords and rule base for comparison. allowing users to take timely preventive measures to avoid losses. Response Module responses the user the intrusion.T.T 22 . OF CSE / B.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig. and with the emergence of a new intrusion technology and expanding the size of rule base. DEPT. and the keywords can deleted .L. then the intrusion has happened.
and a discussion of the early prototype. Even if the behavior is recognized as DEPT. misuse.user Identification problem. The designing and implementing of a prototype Distributed Intrusion Detection System (DIDS) that combines distributed monitoring and data reduction (through individual host and LAN monitors) with centralized data analysis (through the DIDS director) to monitor a heterogeneous network of computers. 7. and makes it easier for intruders to avoid detection. which is concerned with tracking a user moving across the network. In this case. Namely.I. the intruder tries only a few logins on each machine (usually with different account names). insufficiently-protected hosts on a system.1 SCENARIOS The detection of certain attacks against a networked system of computers requires information from multiple sources. IDS’s are based on the belief that an intruder’s behavior will be noticeably different from that of a legitimate user.T 23 . the increased connectivity of computer systems gives greater access to outsiders.T. A simple example of such an attack is the so-called doorknob attack. and abuse of computer systems by both system insiders and external penetrators. A main problem considered in this paper is the Network. This paper provides an overview of the motivation behind DIDS. Initial system prototypes have provided quite favorable results on this problem and the detection of attacks on a network. and gain access to.L. The intruder generally tries a few common account and password combinations on each of a number of computers. and then repeatedly tried to gain access to several different computers at the external site. the system architecture and capabilities. As a case in point. possibly with a new user-id on each computer. OF CSE / B. the intruder used telnet to make the connection from a university computer system. The proliferation of heterogeneous computer networks provides additional implications for the intrusion detection problem. UC Davis’ NSM recently observed an attacker of this type gaining super-user access to an external computer which did not require a password for the super-user account. This approach is unique among current IDS’s. In cases like these. In a doorknob attack the intruder’s goal is to discover.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 7 CHARACTERISTICS OF THE DIDS SYSTEM Intrusion detection is the problem of identifying unauthorized use. which means that an IDS on each host may not flag the attack. These simple attacks can be remarkably successful.
DIDS would also report that user "guest" was really. even if the corresponding degree of browsing is small. there are a number of general ways that an intruder can use the connectivity of the network to hide his trail and to enhance his effectiveness. OF CSE / B. while most IDS’s would report the occurrence of an incident involving user "guest" on the target machine. Because DIDS aggregates and correlates data from multiple hosts and the network. he exhibited behavior which would have alerted most existing IDS’s (e. for example. Note that DIDS should be at least as effective as host-based IDS’s (if we implement all of their functionality in the DIDS host monitor). the network-wide.g.T. changing passwords and failed events). Another possible scenario is what we call network browsing. and at least as effective as the stand-alone NSM. DEPT. thus they cannot recognize the doorknob attack as such. user "smith" on the source machine. In another incident. Network browsing can be detected as follows.T 24 . That is.L. The expert system can then aggregate such information from multiple hosts to determine that all of the browsing activity corresponds to the same network user. This scenario presents a key challenge for DIDS: the tradeoffs between sending all audit records to the director versus missing attacks because thresholds on each host are not exceeded. However. DIDS would not only report the attack. it is in a position to recognize the doorknob attack by detecting the pattern of repeated failed logins even though there may be too few on a single host to alert that host’s monitor. Once the attacker had access to the system. This occurs when a (network) user is looking through a number of files on several different computers within a short period of time. In addition to the specific scenarios outlined above. assuming that the source machine was in the monitored domain. but may also be able to identify the source of the attack.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS an attack on the individual host.. Some of the attack configurations which have been hypothesized include chain and parallel attacks. It may also be possible to go even further back and identify all of the different user accounts in the "chain" to find the initial launching point of the attack. our NSM recently observed an intruder gaining access to a computer using a guest account which did not require a password. current IDS’s are generally unable to correlate reports from multiple hosts. In an incident such as this. The browsing activity level on any single host may not be sufficiently high enough to raise any alarm by itself. aggregated browsing activity level may be high enough to raise suspicion on this user. Each host monitor will report that a particular user is browsing on that system.I. DIDS combats these inherent vulnerabilities of the network by using the very same connectivity to help track and detect the intruder.
In a networked environment.. However. can aid in recognizing this type of behavior and tracking an intruder to their source.T 25 .L.. OF CSE / B. an intruder may often choose to employ the interconnectivity of the computers to hide his true identity and location.2 THE NETWORK-USER IDENTIFICATION (NID) One of the most interesting challenges for intrusion detection in a networked environment is to track users and objects (e. 7. files) as they move across the network. it may be indicative of an attack if a user inquires about who is using each of the computers on a LAN and then subsequently logs into one of the hosts. using the UNIX who or finger command).g. Detecting this type of behavior requires attributing multiple sessions.1: Network User Identification (NID) DEPT.I. perhaps with different account names. Correlating data from several independent sources. to a single source.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 7. and that the behavior can be recognized as suspicious only if one knows that all of the activity emanates from a single source. an intruder may use several different accounts on different machines during the course of an attack. including the network itself. It may be that a single intruder uses multiple accounts to launch an attack. Fig.g. For example.T. For example. it is not particularly noteworthy if a user inquires about who is using a particular computer (e.
THE HOST MONITOR The host monitor is currently installed on Sun SPARC stations running SunOS 4. real group ID. Domains characterize the objects of the audit records. process ID.e. The action and domain are abstractions which are used to minimize operating system dependencies at higher levels. 7. In order to do this. Since processes can also be objects of an audit record.I. which are sequences of noteworthy events which indicate the symptoms of attacks) and only summary reports are sent to the expert system. others are processed locally by the host monitor (i. one of the design objectives is to push as much of the processing operations down to the low-level monitors as possible. In most cases. time. These transactions include file accesses. the HEG creates a more abstract object called an event.e. the objects are files or devices and their domain is determined by the characteristics of the object or its location in the file system..T. return value. Actions characterize the dynamic aspect of the audit records. in this case by their function. profiles and attack signatures. The contents of the Sun C2 audit record are: record type. notable events).0. Since the network-user identification problem involves the collection and evaluation of data from both the host and LAN monitors. The actions are: session start. process executions. In particular. and label.T 26 . real user ID. and logins. Thus. error code. we must be able to determine that "smith@host1" is the same user as "jones@host2". effective user ID.x with the Sun C2 security package. they are also assigned to domains. record event. the operating system produces audit records for virtually every transaction on the system. DEPT. system calls. All evidence about the behavior of any instance of the user is then accountable to the single NID. and then to apply that NID to any further instances of the user. In the following subsections we examine each of the components of DIDS in the context of the creation and use of the NID.. OF CSE / B.L. Certain critical audit records are always passed directly to the expert system (i. Through the C2 security package. The solution to the multiple user identity problem is to create a network-user identification (NID) the first time a user enters the monitored environment. The event includes any significant data provided by the original audit record plus two new fields: the action and the domain. if in fact they are. The host monitor examines each audit record to determine if it should be forwarded to the expert system for further evaluation.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS This problem is unique to the network environment and has not been dealt with before in this context. audit user ID. examining it is a useful method to understand the operation of DIDS.3.
/etc/passwd). but the creation or modification of one is. Note that no distinction is made between files.L. and each event may also succeed or fail. terminate (a process). The domains are prioritized so that an object is assigned to the first applicable domain. However. The concept of the domain is one of the keys to detecting abuses. audit. and that all of these are treated simply as objects. files in the owned domain relative to "smith" are in the not_owned domain relative to "Jones". An event reported by a host monitor is called a host audit record (har).T. execute (a process). Network objects are the processes and files not covered in the previous domains which relate to the use of the network. and generality.g. They are also relative to a user. every object not assigned to a previous domain. we not only remove operating system dependencies. read (a file or device). The choice of these domains and actions is somewhat arbitrary in that one could easily suggest both finer and coarser grained partitions. device. thus. simplicity. or process can be tagged (e. Using the domain allows us to make assertions about the nature of a user’s behavior in a straightforward and systematic way.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS session end. and change_user_id. All possible transactions fall into one of a finite number of events formed by the cross product of the actions and the domains. Tagged objects Are Ones which are thought a priori to be particularly interesting in terms of detecting intrusions. delete (a file or (virtual) device). by exclusion. network. respectively. The record syntax is: DEPT. Any file.. for example. create (a file or (virtual) device). that is more than made up for by the increase in portability. System objects are primarily those which are concerned with the execution of the operating system itself.g. Sys_info and user_info objects provide information about the system and about the users of the system. and not_owned. but also restrict the number of permutations that the expert system will have to deal with. move (rename a file or device). system. authentication. Similarly. The domains are: tagged.g. the terminate action is applicable only to processes. compilers and editors). speed. Authentication objects are the processes and files which are used to provide access control on the system (e. Although we lose some details provided by the raw audit information. directories or devices. sys_info. audit objects relate to the accounting and security auditing processes and files. change rights. OF CSE / B. utility. again exclusive of those objects already assigned to previously considered domains. write (a file or device). Not every action is applicable to every object. In general. The utility objects are the bulk of the programs run by the users (e.. user_info.T 27 . the password file). Owned objects are relative to the user. By mapping an infinite number of transactions to a finite number of events. owned. they capture most of the interesting behavior for intrusion detection and correspond reasonably well with what other researchers in this field have found to be of interest. the execution of an object in the utility domain is not interesting (except when the use is excessive).I. Not_owned objects are..
Domain.2: DIDS target environment DEPT.L.T. Parent Process. and rexec UNIX programs. These latter events capture such transactions as executing the rlogin. Effective-UID. as well as ones with an execute action applied to the network domain. Action. Audit-UID. For the creation and application of the NID. Object. only a subset are forwarded to the expert system. it is the events which relate to the creation of user sessions or to a change in an account that are important.I.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS har(Monitor-ID. Of all the possible events. The HEG consults external tables. Because they relate to events rather than to the audit records themselves. Fig. PID. OF CSE / B.T 28 . telnet. which are built by hand. Host-ID. Return Value. to determine which events should be forwarded to the expert system. the tables and the modules of the HEG which use them are portable across operating systems. Real-UID. These include all the events with session_start actions. Error Code). Time.7. rsh. The only portion of the HEG which is operating system dependent is the module which creates the events. Transaction.
2 shows a generalized DIDS target environment. rlogin and telnet) as well as activity by certain classes of hosts (e. The DIDS architecture combines distributed monitoring and data reduction with centralized data analysis. a PC without a host monitor). or finger is expected to look like).. and signatures of past attacks. For high level communication protocols between the components are based on Common Management Information Protocol (CMIP) recommendations. from these packets.2. This architecture provides accountability by trying the users with their actions.g. The director employs an expert system to detect the possible intrusion attacks. it is able to construct higher-level objects such as connections (logical circuits).g. These heuristics consider the capabilities of each of the network services. which systems are expected to establish communication paths to which other systems. 7. the level of authentication required for each of the services. what a typical telnet. it audits host-to-host connections. and by which service) and service profiles (e.L. the LAN monitor uses several simple analysis techniques to identify significant events.. The LAN monitor observes each and every packet on its segment of the LAN and.g. The LAN monitor also uses heuristics in an attempt to identify the likelihood that a particular connection represents intrusive behavior.. The abnormality of a connection is based on the probability of that particular connection occurring and the behavior of the DEPT. The host and LAN monitors are responsible for the collection of evidence of suspicious activity and DIDS director is responsible for its evaluation.I. a single host monitor per host and a single LAN monitor for each broadcast LAN segment in the network which is monitored. The LAN monitor builds its own "LAN audit trail". Reports are sent independently and asynchronously from the host and LAN monitors to the DIDS director through a communications architecture shown in figure 7.4 THE LAN MONITOR The LAN monitor is currently a subset of UC Davis’ Network Security Monitor. which possibly lead to intrusive activity. the security level for each machine on the network. Similar to the host monitor. and volume of traffic per connection. The profiles consist of expected data paths (e..g. The events include the use of certain services (e. In particular. and service requests using the TCP/IP or UDP/IP protocols. The architecture provides a bidirectional communication between the DIDS director and any monitor in the configuration.T 29 .DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig 7.T. the host and LAN monitors report events. DIDS architecture consists of DIDS director. OF CSE / B. to a centrally-located DIDS director. In DIDS. services used. The LAN monitor also uses and maintains profiles of expected network behavior. mail.
The SSO can also ask for a wire-tap on a certain network connection to monitor a particular user’s behavior. Status).T. Domain. Dest_Host.I. Source_Host. Upon request. The record syntax is: nar(Monitor-ID. including capturing every character crossing the network (i. Like the host monitor. Service. An event reported by a LAN monitor is called a network audit record (nar). the LAN monitor is also able to provide a more detailed examination of any connection. The LAN monitor has several responsibilities with respect to the creation and use of the NID.L. This capability can be used to support a directed investigation of a particular subject or object. the LAN monitor forwards relevant security information to the director through its LAN agent.e. OF CSE / B.. a wire-tap). the LAN monitor can be used to verify the owner of a connection. Time. Once these connections are detected. A large amount of low level filtering and some analysis is performed by the host monitor to minimize the use of network bandwidth in passing evidence to the director.T 30 . The LAN monitor can also be used to help track tagged objects moving across the network.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS connection itself. DEPT. The LAN monitor is responsible for detecting any connections related to rlogin and telnet sessions.
and changes in network traffic patterns. The architecture also provides for bidirectional communication between the DIDS director and any monitor in the configuration. and volume of traffic. This approach is unique among current IDS’s. they could be distributed as well. DIDS can potentially handle hosts without monitors since the LAN monitor can report on the network activities of such hosts. The LAN monitor reports on such network activity as rlogin and telnet connections. Because the components are logically independent processes. and issue commands to have the distributed monitors modify their monitoring capabilities via a "SET" directive. while the DIDS director is primarily responsible for its evaluation. the use of security-related services. The LEG is currently a subset of UC Davis’ NSM. a single host monitor per host. This communication consists primarily of notable events and anomaly reports from the monitors. allowing for future inclusion of CMIP management tools as they become useful. Reports are sent independently and asynchronously from the host and LAN monitors to the DIDS director through a communications infrastructure.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 8 DISTRIBUTED INTRUSION DETECTION SYSTEM ARCHITECTURE The DIDS architecture combines distributed monitoring and data reduction with centralized data analysis.T 31 . High level communication protocols between the components are based on the ISO Common Management Information Protocol (CMIP) recommendations.I. Its main responsibility is to observe all of the traffic on its segment of the LAN to monitor host-to-host connections. The host and LAN monitors are primarily responsible for the collection of evidence of unauthorized or suspicious activity.L. DEPT. And a single LAN monitor for each broadcast LAN segment in the monitored network. services used. OF CSE / B. The DIDS director consists of three major components that are all located on the same dedicated workstation. The communications manager is responsible for the transfer of data between the director and each of the host and the LAN monitors. it is also able to send the requests to the host and LAN monitors for more information regarding a particular subject. the LAN monitor consists of a LAN event generator (LEG) and a LAN agent. The components of DIDS are the DIDS director. It accepts the notable event records from each of the host and LAN monitors and sends them to the expert system. On behalf of the expert system or user interface. Like the host monitor. The director can also make requests for more detailed information from the distributed monitors via a "GET" directive.T.
Network-management tools that are able to perform network mapping would also be useful.1: Communication Architecture DEPT.T. and request more specific types of information from the monitors. etc. OF CSE / B. It receives the reports from the host and the LAN monitors. such as cutting off network access. including incident-handling tools and network-management tools. 8.T 32 .DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS The expert system is responsible for evaluating and reporting on the security state of the monitored system. The expert system is a rule-based system with simple learning capabilities. The director’s user interface allows the System Security Officer (SSO) interactive access to the entire system. and. 8. watch network traffic (by setting "wire-taps"). Incident-handling tools may consist of possible courses of action to take against an attacker. This will give the SSO the ability to actively respond to attacks against the system in real-time. based on these reports.L. it makes inferences about the security of each individual host.1 COMMUNICATION ARCHITECTURE Anticipating that a growing set of tools. a directed investigation of a particular user. The SSO is able to watch activities on each host. as well as the system as a whole. will be used in conjunction with the intrusion-detection functions of DIDS.I. removal of system access. Fig.
an expert system and a user interface. the audit records are scanned for notable events. The communication manager is used to transfer data between the director and it accepts the notable event records from each host and LAN monitors and sends them to the expert system. The LAN event generator is a subset of NSM and is responsible to observe all the traffic on its segment of the LAN. This makes inferences about the security of each individual host and the expert system is having simple learning capabilities.T 33 .DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS The architecture provides bidirectional communication between the DIDS director and any monitor in the configuration and the communication consists of notable events and anomaly reports. The packet is read.T. The director makes requests for more detailed information from the distributed monitors. It also sends request to the host and LAN monitors for information regarding a particular user. in which. The LAN monitor consists of a LAN event generator and a LAN agent. A central console is used to collect the alarms from multiple sensors. 8.2 shows traditional sensor-based network intrusion detection architecture. The expert system is responsible for evaluating and reporting the security state of the monitored system and it receives the reports from the hosts and the LAN monitors.2 A STANDARD NETWORK INTRUSION DETECTION ARCHITECTURE Fig. The sensor is usually a stand-alone machine or network device. in real time. A sensor is used to “sniff” packets off of the network where they are fed into a detection engine which will set off an alarm if any misuse is detected. DEPT. The host monitor consists of host event generator and host agent. These sensors are distributed to various mission-critical segments of the network. However. in order to better understand the traditional sensor-based architecture. 8.I. in order to monitor host-to-host connections. The DIDS director consists of three major components namely a communication manager. OF CSE / B. off the network through a sensor that president on a network segment located somewhere between the two communicating computers. the lifecycle of a network packet should be examined. The agent generator collects and analysis audit records from the host operating system. services used and volume of traffic. The notable events are sent to the director of the next analysis.L.
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig. A sensor-resident detection engine is used to identify predefined patterns of misuse.T. OF CSE / B. The alert is stored for correlation and review at a later time. A response to the misuse is generated. DEPT. 8. The response subsystem matches alerts to predefined responses or can take responses from the security officer. This can be done through a variety of methods including audible. If a pattern is detected.L. or through any other different method. pager.2: A Standard Network Intrusion Detection Architecture The network packet is created when one computer communicates with another.T 34 . Data forensics is used to detect long-term trends. visual. Some systems allow archiving of the original traffic to replay sessions. Reports are generated that summarize the alert activity.I. email. an alert is generated. The security officer is notified about the misuse.
The security officer is notified. The packet is read in real-time off the network through a sensor resident on the destination machine. Network node agents communicate with each other on the network to correlate alarms at the console. A network sensor that is running on a host machine does not make it a host-based sensor. 8. The packet is then fed into the detection engine located on the target machine. Reports are generated summarizing alert activity.3 DISTRIBUTED HOST RESIDENT INTRUSION DETECTION Fig.I. Network packets directed to a host and sniffed at a host are still considered network intrusion detection.T. an alert is generated and forwarded to a central console or to other sensors in the network. However. 8.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS A few years ago all commercial network intrusion detection systems used promiscuous-mode sensors. Data forensics is then used to look for long-term trends. A response is generated. DEPT. An agent is used to read packets off the TCP/IP stack layer where the packets have been reassembled. OF CSE / B. A new architecture for network intrusion detection was created that dealt with the performance problem on high speed networks by distributing sensors to every computer on the network.L.T 35 . The alert is stored for later review and correlation.3 represents the network-node intrusion detection architecture. The sensors then communicate with each other and the main console to aggregate and correlate alarms. In network-node intrusion detection each sensor is concerned only with packets directed at the target in which the sensor resides. However. this network-node architecture has added to the confusion over the difference between network and host-based intrusion detection. these technologies were subject to packet loss on high speed networks. A detection engine is used to identify pre-defined patterns of misuse. If a pattern is detected. A network packet is created.
3: A Distributed Host Resident Intrusion Detection Architecture However. There are two primary operational modes to use network-based intrusion detection: tip-off and surveillance. OF CSE / B. Unlike tip-off. surveillance takes place when misuse has already been suspected. Surveillance is characterized by an increased observance of the behavior of a small set of subjects. the architectures require operational modes in order to operate.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Fig. suspicious behavior can be detected to “tip off” the officer that misuse may be occurring. Operational modes describe the manner the intrusion detection system will operate and partially describe the end goals of monitoring. During surveillance. Surveillance results from a tip-off from either the intrusion detection system or another indicator. targets are observed more closely for patterns of misuse.T 36 . DEPT. This is the traditional context for intrusion detection systems.I. By observing patterns of behavior. The system is used to detect misuse as it is happening.L.T. 8. The defining characteristic for tip-off is that the system is detecting patterns that have not been detected before.
T. such as application and operating system event logs and file attributes. administrative or some other privilege and uses it in an unauthorized manner. Another scenario involves modifying web site data. Host data sources are numerous and varied. such as kernel logs. However. against government agencies in particular. OF CSE / B. That is when a user has root. however it might be easier to elevate the user and reduce privileges later.5.4 the raw data is forwarded to a central location before it is analyzed and. In the centralized architecture. Most security policies restrict nonemployees from having root or administrator privileges. and application logs such as syslog. event logs may be entered into court to support the prosecution of computer criminals. The difference between the two is that in Fig. If protected correctly. DEPT. it’s important to examine the architecture to see how it prevents those attacks.5 represents distributed real-time host based intrusion detection architecture. There are many attack scenarios that host-based intrusion detection guards against. Another scenario involves contractors with elevated privileges. Most organizations have policies in place to delete or disable accounts when individuals leave. including operating system event logs. However. data is forwarded to an analysis engine running independently from the target. that result in uncomplimentary remarks posted on web sites. leaving a window for a user to log back in. 8. One of these scenarios is the abuse of privilege attack scenario. While these attacks originate from outside the network. Host-based intrusion detection systems analyze data that originates on computers. they take time to delete or disable. A third attack scenario involves ex-employees utilizing their old accounts. These host event logs contain information about file accesses and program executions associated with inside users.L. 8.4 represents the typical life cycle of an event record running through this type of architecture. in Fig.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS In order for there to be a tip-off a data source needs to be searched for suspicious behavior. With a review of what attacks host-based intrusion detection systems prevent. 8. And Fig. There have been many cases. However.I. the raw data is analyzed in real time on the target first and then only alerts are sent to the command console. Fig. This usually happens when an administrator gives a contractor elevated privileges to install an application. the best systems offer both types of processing. the administrator might forget to remove the privileges.T 37 . There are advantages and disadvantages to each method. 8. they are perpetrated on the machine itself through alteration of data.
DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 8. A log is created that becomes the data archive for all the raw data that will be used in prosecution.I. processes the file. 8.4: A Centralized Host-Based Intrusion Detection Architecture An even record is created. DEPT. such as a file is opened or a program is executed like the text editor like Microsoft Word.L.T. configured to match patterns of misuse.4 A CENTRALIZED HOST-BASED INTRUSION DETECTION Fig. The target agent transmits the file to the command console. This happens at predetermined time intervals over a secure connection. The detection engine. This occurs when an action happens.T 38 . The record is written into a file that is usually protected by the operating system trusted computing base. OF CSE / B.
shutting down a target. The security officer is notified. because there is no raw data archive and no statistical data. The lifecycle of an event record through a distributed real-time architecture is similar. Some systems store statistical data as well as alerts. Data forensics is used to locate long-term trends and behavior is analyzed using both the stored data in the database and the raw event log archive.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS An alert is generated. except that the record is discarded after the target detection engine analyzes it. The storage is usually in the form of a database. The disadvantage is that the end users suffer from system performance degradation. response. The advantage to this approach is that everything happens in real-time.I. and storage. DEPT.T 39 . The alert is stored. Reports can be a summary of the alert activity. Responses include reconfiguring the system.L. logging off a user. Data forensics is used to search for long-term trends. Reports are generated. Reports are generated. When a predefined pattern is recognized. This archive is cleared periodically to reduce the amount of disk space used. this capacity is limited. The response subsystem matches alerts to predefined responses or can take response commands from the security officer. The raw data is transferred to a raw data archive. OF CSE / B. However. A response is generated. such as access to a mission critical file. an alert is forwarded to a number of various subsystems for notification.T. or disabling an account.
A response is generated. The alert is stored. An alert is generated then sent to a central console.5: A Distributed Real-Time Host-Based Intrusion Detection Architecture An event record is created. The security officer is notified. Some systems notify directly from the target. Statistical behavioral data outside alert data are not usually available in this architecture. OF CSE / B. DEPT.T 40 . 8. The file is read in real-time and processed by a target resident detection engine. while others notify from a central console.L.I.T.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS 8.5 A DISTRIBUTED REAL-TIME HOST-BASED INTRUSION DETECTION Fig. The response may be generated from the target or console.
The objects at this level are both syntactically and semantically dependent on the source. each layer representing the result of a transformation performed on the data (see Table 9. At the second level. The model is also applicable to the trivial network of a single computer. That is. by the LAN monitor.T 41 . The model is the basis of the rule base. The third layer of the IDM creates a subject. or by a third party auditing package. Similarly. it describes the transformation from the distributed raw audit data to high level hypotheses about intrusions and about the overall security of the monitored environment.1) The objects at the first level of the model are the audit records provided by the host operating system. The IDM consists of 6 layers. The expert system is currently written in Prolog. Upper layers of the model treat the network-user as a single entity. above this level. This introduces a single identification for a user across many hosts on the network. It serves both as a description of the function of the rule base. the model builds a virtual machine which consists of all the connected hosts as well as the network itself. DEPT. and as a touchstone for the actual development of the rules. OF CSE / B.T.I. The IDM describes the data abstractions used in inferring an attack on a network of computers. This unified view of the distributed system simplifies the recognition of intrusive behavior which spans individual hosts. and much of the form of the rule base comes from Prolog and the logic notation that Prolog implies. all of the activity on the host or LAN is represented. The expert system uses rules derived from the hierarchical Intrusion Detection Model (IDM). At this level. It is the subject who is identified by the NID. In abstracting and correlating data from the distributed sources.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CHAPTER 9 THE EXPERT SYSTEM DIDS utilizes a rule-based (or production) expert system. the event (which has already been discussed in the context of the host and LAN monitor) is both syntactically and semantically independent of the source standard format for events. essentially ignoring the local identification on each host.L. the collection of hosts on the LAN is generally treated as a single distributed system with little attention being paid to the individual hosts.
behavior which is unremarkable during standard working hours may be highly suspicious during off hours. This notion of temporal proximity implements the heuristic that a call to the UNIX who command followed closely by a login or logout is more likely to be related to an intrusion than either of those events occurring alone. In addition to the consideration of external temporal context. DEPT. multiple events are more noteworthy when they have a common element than when they do not.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Table 9. In both of these cases. The IDM. As an example of temporal context. OF CSE / B. the expert system uses time windows to correlate events occurring in temporal proximity. a user moving from a low-security machine to a high-security machine may be of greater concern than a user moving in the opposite direction. There are two kinds of context: temporal and spatial.T. events related to a particular user. Spatial context implies the relative importance of the source of events.T 42 . The model also allows for the correlation of multiple events from the same user or source. Wall-clock time refers to information about the time of day. may be more likely to represent an intrusion than similar events from a different source.I. For instance. weekdays versus weekends and holidays.1: Intrusion Detection Model The fourth layer of the model introduces the event in context. therefore. allows for the application of information about wall clock time to the events it is considering. as well as periods when an increase in activity is expected. That is. or events from a particular host.L.
OF CSE / B. no information is lost since the expert system maintains all the evidence used in calculating the security state in its internal database. In other words. At the highest level. Although representing the security level of the system as a single value seems to imply some loss of information. What does change is a numerical value associated with each rule. the model produces a numeric value between one and 100 which represents the overall security state of the network. Events in context are combined to create threats. In general. and the SSO has access to that database. while active objects are essentially running processes. System objects are the complement of user objects. thus. the rules do not change during the execution of the expert system. the creation of the subject is the focus of the following subsection. These rule values are manipulated using a negative reinforcement training method which allows the expert system to continually lower the number of false attack reports.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS The fifth layer of the model considers the threats to the network and the hosts connected to it.T 43 . This Rule Value (RV) represents our confidence that the rule is useful in detecting intrusions.T. the event. and what is he doing it to? Abuses are divided into attacks.I. ` Suspicious acts are events which. are of interest to IDS. including executable binaries. Misuses represent out-of-policy behavior in which the state of the machine is not affected. The higher the number the less secure the network. This value is a function of all the threats for all the subjects on the system. it provides a quick reference point for the SSO. The threats are partitioned by the nature of the abuse and the nature of the target. and the subject. For example. In fact. Passive objects are files. The generation of the first two of these has already been discussed. the file system or process state is different after the attack than it was prior to the attack. Attacks represent abuses in which the state of the machine is changed. When a potential DEPT. and suspicious acts. in the current implementation. User objects are owned by non-privileged users and/or reside within a non-privileged user’s directory hierarchy. The expert system is responsible for applying the rules to the evidence provided by the monitors. Here again we treat the collection of hosts as a single distributed system.L. while not a violation of policy. That is. commands which provide information about the state of the system may be suspicious. what is the intruder doing. misuses. In the context of the network-user identification problem we are concerned primarily with the lowest three levels of the model: the audit data. The targets of abuse are characterized as being either system objects or user objects and as being either passive or active.
Disjunctive rules are not allowed.A2. r is the initial RV.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS attack is reported by the expert system. The overall structure of the rule base is a tree rooted at the top. attempting to apply the rules to the facts and hypotheses in the Prolog database. the SSO determines the validity of the report and gives feedback to the expert system.L. where A1.T 44 .A3]). OF CSE / B.I.(C))).r. Conjunctive rules have the form: rule(n. If the report was deemed faulty. or a consequence of some previously satisfied rule. reporting suspected intrusions. the system also automatically increases the RV’s of all the rules on a regular basis.(C))).(single.1 ADVANTAGES The distributed Intrusion Detection Model based on Protocol analysis has the following advantages: System structure is simple. enhance the DEPT. then the expert system lowers the RV’s associated with the rules that were used to draw that conclusion. The shell is responsible for reading new facts reported by the distributed monitors. that situation is dealt with by having multiple rules with the same consequence. In addition to this directed training.r. which may lower some rule values.T.A3 are the antecedents and C is the consequence.[A1. 9. and maintaining the various dynamic values associated with the rules and hypotheses. where n is the rule number. many facts at the bottom of the tree will lead to a few conclusions at the top of the tree. This makes data transmission between the modules do not need too much middle layer. Process Module and Response Module. Thus. This recovery algorithm allows the system to adapt to changes in the environment as well as recover from faulty training.[A]). The system consists of three modules: Detect Module. The expert system shell consists of approximately a hundred lines of Prolog source code.A2. and C is the consequence. A is the single antecedent. The antecedent may also be a conjunction of these. Logically the rules have the form: Antecedent => consequence Where the antecedent is either a fact reported by one of the distributed monitors.(and. The syntax for rules is: rule(n.
Because the rule base of the central part is constituted by the characteristics of these intrusion data. There is little impact in performance on the target machine because all the analysis happens elsewhere. intrusion detection has great advantages. In the Detect Module part.2 COMPARISON OF DIFFERENT ARCHITECTURES Table 9. Finally. OF CSE / B. Its length is often only a small percentage of the length of all the data packets. then there is a large part of the data will certainly not be detected.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS transfer rate between the modules. DEPT. not only saves resources of detection part. This model uses high-speed link. so as to achieve their sinister purposes. the hackers can mix intrusion data packets with litter data packages falling through the openings in the packet. which give a hacker an opportunity. at this time if there is some delays of detected part and processed part or the matching time is too long between the rule base processed and the data sent. enhance the detection rate. so the matching speed can be greatly enhanced.L. detect intrusion timely. which can be taken in some way to send a large number of flooded packets littering the network. At this point the flow of large data networks. but also saves resources of Process Module. And the strings of characteristics is short.I. 9. the system can also achieve matching tasks. but also in the unit time greatly improves the characteristics of the packet transmission rate when transmitted.T. Detected speed is fast. even if there is a lot of data that need to be processed at the same time. Multi-host signatures are possible because the centralized engine has access to data from all targets. When there is more data traffic on the network. extraction is only the important characteristics of packet into Process Module to process. undetected rate of general intrusion detection systems will increase sharply.T 45 .2 summarizes the advantages and disadvantages of centralized detection architecture. the centralized raw data can be used for prosecution provided the integrity of the data is preserved. which greatly improve the data transmission speed.
Table 9.T 46 .I.2: Advantages and Disadvantages of a Centralized Detection Architecture Table 9.3 illustrates the advantages and disadvantages of a real-time distributed intrusion detection system.3 Advantages and Disadvantages of a Distributed Real-Time Architecture Host-based and network-based systems are both required because they provide significantly different benefits. Detection.4 summarizes these differences. Table 9. damage assessment. This table is a mirror image of Table 9.and Host-Based Benefits DEPT. Table 9. response. OF CSE / B.4: Comparing Network. attack anticipation and prosecution support are available at different degrees from the different technologies.L.2 with a few minor additions.T. deterrence.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS Table 9.
this paper presents the protocol analysis have a certain stimulating function to improve the existing distributed intrusion detection system performance.. safe in resources. which make the system have the function of self-learning and adaptive. fast in detection speed.T. This paper presents the Distributed Intrusion Detection System based on protocol analysis which is simple in structure. especially because the rule base can only extract the invaded. and is an affordable intrusion detection system.I. However. DEPT. the system must be able to change with the trend of network data to make adaptive changes. However. so that there is failure to recognize the intrusion undetected. resulting some missed detection. with the development of technology. the Distributed Intrusion Detection research study is at the initial stage.T 47 . the diversity of network intrusion make detection system impossible. However.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS CONCLUSION Intrusion detection technology based on protocol analysis has become one of the technologies for the intrusion detection system of next generation. and must have some practical significance for the future of the Distributed Intrusion Detection System. efficient in detection. etc. OF CSE / B.L.
DEPT. development. The prototype has demonstrated the viability of our distributed architecture in solving the network-user identification problem.L. the intension to develop monitors for application specific hosts such as file servers and gateways. but it is currently being ported to CLIPS due to the latter’s superior performance characteristics and easy integration with the C programming language.DISTRIBUTED INTRUSION DETECTION SYSTEM BASED ON PROTOCOL ANALYSIS FUTURE WORK The Distributed Intrusion Detection System (DIDS) is being developed to address the shortcomings of current single host IDS’s by generalizing the target environment to multiple hosts connected via a network (LAN). In support of the ongoing development of DIDS there is a plan to extend the model to a hierarchical Wide Area Network environment.T. Work continues on the design. and refinement of rules. particularly those which can take advantage of knowledge about particular kinds of attacks. Most current IDS’s do not consider the impact of the LAN structure when attempting to monitor user behavior for attacks against the system. OF CSE / B. In addition to the current host monitor. who is designed to detect attacks on general purpose multi-user computers.T 48 . The tested system on a sub-network of Sun SPARC stations and it has correctly identified network users in a variety of scenarios. Intrusion detection systems designed for a network environment will become increasingly important as the number and size of LAN’s increase. based on a specific context. The designing of a signature analysis component for the host monitors to detect events and sequences of events that are known to be indicative of an attack. The initial prototype expert system has been written in Prolog.I.