Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz

GOALS 1.Discuss the characteristics of a Behavior Intrusion Detection Systems 2.Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets. 3.Provide the results. 4.Analyze the behavior of protocols when firewall enabled/disabled. 5.Present an approach to prioritize suspicious packets. 6.How to enhance Behavior IDS

WHAT IS IDS? IDS is concerned with the detection of hostile actions towards a computer system or network. There are two types:  Anomaly detection (Behavior IDS)  Signature detection

OVERVIEW OF BIDS They can be described as an alarm for strange system behavior. Based on statistics. Advantages  They don’t need to know the details of an attack  Dynamic, they are automatically updated Disadvantages  Many false positives are generated during the sensor training  The training must be extensive so that the baseline is accurate

OVERVIEW OF BIDS Anomalies to be detected:  Traffic to unused ports  Non standard service assigned to one standard port (port 80 set for peer sharing)  Too much UDP/TCP traffic  More bytes coming to a HTTP server than outgoing bytes

Measure timing for DNS, ICMP and HTTP/HTTPS Establish a baseline for different packet sequences Label packets outside the baseline for further analysis IDS Outer (FC4) Intra1 (XP) Internet DLink SW2 DNS Server Web Server Intranet ( /24) DLink SW1 Intra2(win2003) DMZ ( /24) HP5000 SW Firewall IDS Inner (FC4) Firewall (FC4) THE PROJECT IDS Sensor DB IDS Sensor

ICMP Intra1 (XP) ICMP Request ICMP Reply Firewall D C B A SERVER IDS Inner

DNS DNS SERVER DNS Request DNS Reply Firewall IDS Inner D C B A Intra1 (XP)

HTTP

SERVER HELLO CERTIFICATE SERVER KEY EXCHANGE CERTIFICATE REQUEST SERVER HELLO DONE HTTPS

Units are in seconds. In a normal distribution, approximately 99.7% of the population will be in the interval defined by works well for the upper bound, but the lower bound is defined by Using the formula above, we get a confidence interval  3  DATA OBTAINED  1   3 

Firewall Blue-enabled Pink-disabled Packets outside the range in a circle 3 times standard deviation ICMP Time (sec) Packet Sequence Number

Firewall Blue-enabled Pink-disabled Packets outside the range in a circle 3 times standard deviation DNS Time (sec) Packet Sequence Number

Firewall enabled Blue-HTTP Pink-HTTPS Packets outside the range in a circle 3 times standard deviation HTTP vs. HTTPS Time (sec) Packet Sequence Number

HTTP vs. HTTPS Firewall disabled Blue-HTTP Pink-HTTPS Packets outside the range in a circle 3 times standard deviation Time (sec) Packet Sequence Number

HTTP vs. HTTPS

Using the standard deviation, the intervals will be defined. Starting from 3 times for upper bound and 1 time for lower bound. Label the suspicious packets and give them priorities based on their distance from the confidence interval. Upper boundLower bound PROPOSED APPROACH  3   1 

Firewall enabled ICMP 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

Firewall enabled DNS 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

Firewall enabled HTTP 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

Firewall enabled HTTPS 6 times standard deviation (higher priority) 3 times (lower priority) Confidence interval 1 time (lower priority) 2 times (higher priority) Time (sec) Packet Sequence Number

The suspicious packets are defined. Then prioritize/label the packets based on the distance from the mean. How do we know it’s an attack? Define a behavior for each kind of attack, e.g. worms SUSPICIOUS PACKETS

Based on “ A behavioral approach to worm detection” [20] Need to look for this pattern of information –behavioral signature- in the database. WORMS BEHAVIOR CA A:? -> C:D C:? -> E:D Host A and C and E are infected D is port number

 What to do with the packet? How to know if it is from an intruder?  What data do we need to store?  How to collect the data towards an automated process?  How can SNORT create the intervals automatically?  Implement the approach in SNORT’s source code  Analyzing other protocols FUTURE WORK

 Analyzing other scenarios like an internet server instead of a local server  Analyze wireless communication  DNSSecure  Behavioral signatures for other attacks FUTURE WORK

Timing is important and we also need to look at other variables, like performance before making a decision. This decreases false positives. The intervals work in the studied protocols, results may change for other protocols. Intervals need to be tested using attacks like DDoS, worms, etc. HTTP and HTTPS graphs are different because more information is exchanged and timing varies. CONCLUSION

Network Intrusion Detection. Stephen Northcutt, Judy Novak. New Riders 2003 Defending yourself: The role of Intrusion Detection Systems. Jon McHugh, Alan Christie and Julia Allen Design of an Autonomous Anti-DdoS Network (A2D2). Angela Cearns Thesis, 2002 Intrusion detection with SNORT. Rafeeq Ur Rehman. Prentice Hall 2003 REFERENCES

QUESTIONS?