1. A Wavelet Approach to Network Intrusion Detection W. Oblitey & S. Ezekiel W. Oblitey & S. Ezekiel IUP Computer Science Dept. IUP Computer Science Dept.

2. Intrusion Detection:  Provides monitoring of system resources to help detect intrusion and/or identify attacks.  Complimentary to blocking devices.  Insider attacks.  Attacks that use traffic permitted by the firewall.  Can monitor the attack after it crosses through the firewall.  Helps gather useful information for  Detecting attackers,  Identifying attackers,  Reveal new attack strategies.

3. Classification:  Intrusion Detection Systems classified according to how they detect malicious activity:  Signature detection systems  Also called Misuse detection systems  Anomaly detection systems  Also classified as:  Network-based intrusion detection systems  Monitor network traffic  Host-based intrusion detection systems.  Monitor activity on host machines

4. Signature Detection:  Achieved by creating signatures:  Models of attack  Monitored events compared to models to determine qualification as attacks.  Excellent at detecting known attacks.  Requires the signatures to be created and entered into the sensor’s database before operation.  May generate false alarms (False Positives).  Problem:  Needs a large number of signatures for effective detection.  The database can grow very massive.

5. Anomaly Detection:  Creates a model of normal use and looks for activity that does not conform to the model.  Problems with this method:  Difficulty in creating the model of normal activity  If the network already had malicious activity on it, is it ‘normal activity’?  Some patterns classified as anomalies may not be malicious.

6. Network-Based IDS  By far the most commonly employed form of Intrusion Detection Systems.  To many people, “IDS” is synonymous with “NIDS”.  Matured more quickly than the host-based equivalents.  Large number of NIDS products available on the market.

7. Deploying NIDS  Points to consider:  Where do sensors belong in the network?  What is to be protected the most?  Which devices hold critical information assets?  Cost effectiveness;  We cannot deploy sensors on all network segments.  Even not manageable.  We need to carefully consider where sensors are to be deployed.

8. Locations for IDS Sensors  Just inside the firewall.  The firewall is a bottleneck for all traffic.  All inbound/outbound traffic pass here.  The sensor can inspect all incoming and outgoing traffic.  On the DMZ.  The publicly reachable hosts located here are often get attacked.  The DMZ is usually the attacker’s first point of entry into the network.  On the server farm segment.  We can monitor mission-critical application servers.  Example: Financial, Logistical, Human Resources functions.  Also monitors insider attacks.  On the network segments connecting the mainframe or midrange hosts.  Monitor mission-critical devises.

9. The Network Monitoring Problem  Network-based IDS sensors employ sniffing to monitor the network traffic.  Networks using hubs:  Can monitor all packets.  Hubs transmit every packet out of every connected interface.  Switched networks:  The sensor must be able to sniff the passing traffic.  Switches forward packets only to ports connected to destination hosts.

10. Monitoring Switched Networks  Use of Switch Port Analyzer (SPAN) configurations.  Causes switch to copy all packets destined to a given interface.  Transmits packets to the modified port.  Use of hubs in conjunction with the switches.  The hub must be a fault-tolerant one.  Use of taps in conjunction with the switches.  Fault-tolerant hub-like devices.  Permit only one-way transmission of data out of the monitoring port.

11. NIDS Signature Types  These look for patterns in packet payloads that indicate possible attacks.  Port signatures  Watch for connection attempts to a known or frequently attacked ports.  Header signatures  These watch for dangerous or illogical combinations in packet headers.

12. Network IDS Reactions Types  Typical reactions of network-based IDS with active monitoring upon detection of attack in progress:  TCP resets  IP session logging  Shunning or blocking  Capabilities are configurable on per- signature basis:  Sensor responds based on configuration.

13. TCP Reset Reaction  Operates by sending a TCP reset packet to the victim host.  This terminates the TCP session.  Spoofs the IP address of the attacker.  Resets are sent from the sensor’s monitoring/sniffing interface.  It can terminate an attack in progress but cannot stop the initial attack packet from reaching the victim.

14. IP Session Logging  The sensor records traffic passing between the attacker and the victim.  Can be very useful in analyzing the attack.  Can be used to prevent future attacks.  Limitation:  Only the trigger and the subsequent packets are logged.  Preceding packets are lost.  Can impact sensor performance.  Quickly consumes large amounts of disk space.

15. Shunning/Blocking  Sensor connects to the firewall or a packet- filtering router.  Configures filtering rules  Blocks packets from the attacker  Needs arrangement of proper authentication:  Ensures that the sensor can securely log into the firewall or router.  A temporary measure that buy time for the administrator.  The problem with spoofed source addresses.

16. Host-based IDS  Started in the early 1980s when networks were not do prevalent.  Primarily used to protect only critical servers  Software agent resides on the protected system  Signature based:  Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity  Use of resources can have impact on system performance

17. HIDS Methods of Operation  Auditing logs:  system logs, event logs, security logs, syslog  Monitoring file checksums to identify changes  Elementary network-based signature techniques including port activity  Intercepting and evaluating requests by applications for system resources before they are processed  Monitoring of system processes for suspicious activity

18. Log File Auditing  Detects past activity  Cannot stop the action that set off the alarm from taking place.  Log Files:  Monitor changes in the log files.  New entries for changes logs are compared with HIDS attack signature patterns for match  If match is detected, administrator is alerted

19. File Checksum Examination  Detects past activity:  Cannot stop the action that set off the alarm from taking place.  Hashes created only for system files that should not change or change infrequently.  Inclusion of frequently changing files is a huge disturbance.  File checksum systems, like Tripwire, may also be employed.

20. Network-Based Techniques  The IDS product monitors packets entering and leaving the host’s NIC for signs of malicious activity.  Designed to protect only the host in question.  The attack signatures used are not as sophisticated as those used in NIDs.  Provides rudimentary network-based protections.

21. Intercepting Requests  Intercepts calls to the operating system before they are processed.  Is able to validate software calls made to the operating system and kernel.  Validation is accomplished by:  Generic rules about what processes may have access to resources.  Matching calls to system resources with predefined models which identify malicious activity.

22. System Monitoring  Can preempt attacks before they are executed.  This type of monitoring can:  Prevent files from being modified.  Allow access to data files only to a predefined set of processes.  Protect system registry settings from modification.  Prevent critical system services from being stopped.  Protect settings for users from being modified.  Stop exploitation of application vulnerabilities.

23. HIDS Software  Deployed by installing agent software on the system.  Effective for detecting insider-attacks.  Host wrappers:  Inexpensive and deployable on all machines  Do not provide in-depth, active monitoring measures of agent-based HIDS products  Sometimes referred to as personal firewalls  Agent-based software:  More suited for single purpose servers

24. HIDS Active Monitoring Capabilities  Options commonly used:  Log the event  Very good for post mortem analysis  Alert the administrator  Through email or SNMP traps  Terminate the user login  Perhaps with a warning message  Disable the user account  Preventing access to memory, processor time, or disk space.

25. Advantages of Host-based IDS  Can verify success or failure of attack  By reviewing log entries  Monitors user and system activities  Useful in forensic analysis of the attack  Can protect against non-network-based attacks  Reacts very quickly to intrusions  By preventing access to system resources  By immediately identifying a breach when it occurs  Does not rely on particular network infrastructure  Not limited by switched infrastructures  Installed on the protected server itself  Does not require additional hardware to deploy  Needs no changes to the network infrastructure

26. Active/Passive Detection  The ability of an IDS to take action when they detect suspicious activity.  Passive Systems:  Take no action to stop or prevent the activity.  They log events.  They alert administrators.  They record the traffic for analysis.  Active Systems:  They do all the recordings that passive systems do,  They interoperate with firewalls and routers  Can cause blocking or shunning  They can send TCP resets.

27. Our Approach  We present a variant but novel approach of the anomaly detection scheme.  We show how to detect attacks without the use of data banks.  We show how to correlate multiple inputs to define the basis of a new generation analysis engine.

28. Signals and signal Processing:  Signal definition:  A function of independent variables like time, distance, position, temperature, and pressure.  Signals play important part in our daily lives  Examples: speech, music, picture, and video.  Signal Classification:  Analog – the independent variable on which the signal depends is continuous.  Digital – the independent variable is discrete.  Digital signals are presented a a sequence of numbers (samples).  Signals carry information  The objective of signal processing is to extract this useful information.

29. Energy of a Signal:  We can also define a signal as a function of varying amplitude through time.  The measure of a signal’s strength is the area under the absolute value of the curve.  This measure is referred to as the energy of the signal and is defined as:  Energy of continuous signal   Energy of discrete signal

30. Wavelet:  Is a waveform of effectively limited duration that has an average value of zero.  Presently used in many fields of science and engineering.  It development resulted from the need to generate algorithms that would compute compact representations of signals and data sets at an accelerated pace.  Started as Alfred Haar’s step functions, now called wavelets.  We analyze wavelets by breaking up a signal into shifted and scaled versions of the original (mother) wavelet.

31. Our Network Topology:  We set up a star topology network;  Four computers in an island  Each running Linux RedHat 9.2  The machines are connected by a switch  The switch is connected to a PIX 515E Firewall  3Com Ethernet Hub sits between the switch and the firewall  For Sniffing and capturing packets  We duplicated this island six times and connected them with routers.  We then connected the islands, via the routers, to a central Cisco switch.  For simulation purposes, we installed Windows XP on one machine in island one.

32. Data Collection:  We generated packets with a Perl script on a Linux system.  We used the three most common protocols for our simulation:  HTTP, FTP, and SMTP.  For each protocol:  We generated a constant traffic;  We created 50 datasets each consisting of the number of packets transmitted over two minute intervals.  We executed the same traffic scripts with a random pause between 0 and 60 seconds.  We then rerun the traffic between 0 and 15 seconds to create additional datasets.  We collected all the 150 datasets by Ethereal for further analysis.

33. Results: Figure 1

34. Figure 2

35. Figure 3

36. Figure 4

37. Figure 5

38. Figure 6

39. Conclusion & Future Direction  We have presented:  A wavelet based – framework for network monitoring  This is our first phase for the development of an engine for Network Intrusion Analysis  This will not depend on databases and thus will minimize false negatives and false positives