2013 International Conference on Sensor Network Security Technology and Privacy Communication System (SNS & PCS)
A Novel Approach for the Design of Network
Intrusion Detection System(NIDS)
Ambarish Jadhav, Avinash Jadhav
Fonnerly at Walchand College of Engineering, Sangli, India [email protected]
jadhav.avinash [email protected]
Abstract-Though several approaches to detect intrusion have been already proposed, the area of clustering and categorization of packet signatures has potential scope for research. Inthis paper, we propose a framework for network intrusion detection system which is based on clustering of packet signatures and network analysis. Whenever features of incoming network packet match one of the signatures of intrusion, the system alerts the administrator about the possible threat with details of source of malicious activity and the classification is found to be more than 90% accurate.
Keywords-intrusion detection system; packet signature; jpcap; patternmatching; clustering; fuzzy system
I. INTRODUCTION
Intrusionsin an information system are the activities that may be hannful to the security and functioning of the system, and intrusion detection isthe process used to identifY intrusions. Due to the limitations of infonnation security and software engineering practice, computer systems and applications may havedesign flaws or bugs that could be used by an intruder to attack the systems or applications. So, in an effort to tackle these scenarios IDSs were developed as second line of defence. However, the ability to create solid rules based on clustering of packet signatures and their proper categorizationis not much explored.
The need for intrusion detection systems began way back in 1980s when James P. Anderson published a study outlining ways to improve computer security auditing and surveillance at customer sites. The original idea behind automated ID is often credited to him for his paper on "How to use accounting audit files to detect unauthorized access". This ID study paved the way as a form of misuse detection for mainframe systems. Since then a lot of algorithms and frameworks have been proposed to tackle intrusion detection with each approach having its own advantages and disadvantages.
One of the classifications of TDSs is
1. Network-based IDS in whichsystem is placed at an important endpoint in a network segment and
2. Mainframe-based IDS which ismainly used to analyze and detennine the login file of a mainframe or a system.
There are two major methods to detect intrusions in computer networks;
/) Based on the network intrusion signatures, and
978-1-4673-6453-9113/$31.00 ©20 13 IEEE 22
Pradeep Jadhav, Prakash Kulkarni
Formerly at Walchand College of Engineering, Sangli, India [email protected]
pjk _ [email protected]
2) Based on the detection of anomalies on the network In this paper, we attempt to enhance the signature based
intrusion detection by applying the concept of clustering and fuzziness by extracting features out of a network packet and test it against the generated signature database for the signs of intrusion. This gives a proper categorization of network packet as per its severity.
IT. ARCHITECTURE
Though the firewalls and different antivirus softwares are present some hackers can penetrate the firewall. Therefore network intrusion detection system (NIDS) technology is developed. The intrusion detection system (mS) mainly monitors and analyzes the network activities of a computer system as shown in Figure l.
Depending on throughput requirements, a network based IDS may inspect only packet headers or include the content. Moreover, multiple detectors are typically employed at strategic locations in order to distribute the task.
VJ'el'lSeruer DBSellVer Systems
Figure l. General NIDS architecture
May 18-19, 2013·Harbin, China
A. High Level Design
The flowchart given in Figure 2depicts the high level view of the working of proposed Network Intrusion Detection framework.
Input Packet from network
Packet Decode Procedure
Packet Preprocess Procedure
Figure 2. NIDS- High Level Design
B. Low Level Design
/) Packet Decode Procedure: • A Net-filter is used to capture the packets flowing
through the network card.
• The parsing of the packet takes place.
• Parsing results of the packets are stored in respective MySQL tables.
a) Receive packets into nlw card:
During communication of different client machines, the network traffic can be seen at server machine where all those packets can be captured. Packets are captured by using Ethernet card.
Receive packets into n/w
No Packet Yes
Parsing of packet header
Store to network information
Figure 3. Packet Decode Procedure
23
Without removing the header of packet whole packet is as it is received. The server will continuously capture incoming packets as shown in Figure 3. Received packets are then sent to the next phase where packets are processed and header information is obtained.
b) Parsing of packet header:
Received packet's header information IS parsedto get following features of packet.
For IP header: source port, destination port,sequence number, acknowledgement number, URG flag, ACK flag, PSH flag, RST flag, SYN flag, FIN flag, rsvl, rsv2, window size, urgent flag,
For TCP packet:Priority, don't fragment flag, more fragment flag, offset, identification number, time to live, protocol, source IP, destination IP
For UDP packet: source port, destination port
c) Store to network information table:
Database for packet logging and signature is created in MySQL. In database different tables are created for TCP, UDP and TCMP. The tables have attributes as the packet header field as explained above. This stored packet information is then used for rule detection. Also we can use this to analyze the network. This database will be updated as new packets are received.
2) Packet Pre-process Procedure: • The network information table is read and that
information is used in checking rules already defmed as shown in figure 4.
• For any other type of signature of packet partially matching the predefined rules, new category is created.
Read network information table
Attack identified and is alerted
Figure 4. Packet Pre-process Procedure
a) Use IDS rule table
Normal
-packet
The extracted packet header information is matched against the defined rules in the signature database which is already created with predefmed rules. If the packet feature doesn't
match any of the signatures then a new entry will be created in the database which will be used for future signature matching. In this way, the signature database is continuously updated.
b) Attack Identification:
When the signature in database is matched with the arrived packet signature then alert is generated. At the server side the detail of the attack is provided. Also the category of the attack and its severity is determined. The details of attack identification and defming its category are provided in the implementation part.
For healthy packet no rules will be matched from database. Such packets will not give any alert.
Ill. IMPLEMENTATION DETAIL
This is the section which entails all the methodologies, libraries, and packagesetc. that were used to implement the proposed NIDS system.
A. Prototype (Network Training)
In order to develop a Network Intrusion Detection System, as a preliminary part, a prototype consisting of 2-3 hosts was developed and successfully tested the standard rules on the prototype.
/) Following softwares were used: - Open Source JA VA library for capturing and sending network packets i.e.Jpcap
- MySQL database for Network packet logging and Signatures.
- JDK 1.6.0
2) Jpcap Library - Open source java library that provides classes and interfaces for capturing packets from a network interface, sending packets to a network interface, reading packets from a file, and writing packets to a local file.
3) Following are some of the standard existing rules based
on previous Experimentation for intrusion detection -Invalid Flag combinations in a TCP packet such as SYN flag and FIN flag set or no flag set at all.
-SYN flag set and same host requesting our system for connection establishment more than 6 times.
-Remote host pinging continuously to check availability of our system -TTL= 1 and DEST IP or SOURCE IP in Local LAN
- -
-WINDOW Size= 1028 -SRC]ORT or DST]ORT as 0 in UDP packet -IDENTIFICATION NO=39426 -Combining any of above 2 or more prepared a better
signature
4) Clustering of Signatures There can be a case where an intelligent intruder can fmd a
way out for a rule but at the same time following valid packet signatureso that the intrusion goes undetected, such as,
24
-A valid packet requesting a port number which is listening on another process. -A host sending valid synchronized packets through different port numbers continuously.
5) Database Created for Packet and Signatures: Tables for TCP and UDP packet log which had following
fields in MySQLtable,
For TCP Packet: Sip- sourceIP address. Dip- destination IP address. AckNo- acknowledgement number. TCP flags- SYN,FIN,PSH,RST,URG,ACK
TTL-time to live. For UDP packet, two fields were included in the table, source port, destination port For Signature table, twofields signature and description were included.
6) Time and Space complexity: To fmd these parameters for our program we used
following function available in JA VA
LongstartTime = System.currentTimeMillisO;
Main program 0;
Long end Time = System.currentTimeMillisO;
System.out.println("That took " + (end Time - startTime) + "
milliseconds ");
For 30 consecutive packets injected into network the time
complexity was 1940milliseconds
To find space complexity we found the actual memory
required for program and the variable sizes
CODE SIZE : 14.4 KB (14,746 bytes)
VARIABLE SIZE : nearly 460 Bytes
7) Signatures clustered under Fragmentation:
a) TCP Fragmentation SYN FIN Port Sweep:
Triggers when a series of fragmented TCP packets with both the SYN and FIN flags set have been sent to a number of different destination ports on a specific host.
b) Fragmented NULL TCP Packet:
Triggers when a single fragmented TCP packet with none of the SYN, FIN,ACK, or RST flags set has been sent to a specific host.
c) TCP SYN Port Sweep:
When a series of TCP SYN packets have been sent to a number of different destination ports on a specific host
d) Orphaned Fin Packet:
When a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a speci fi c host.
The use of single FIN packet, when no other alarms fire, indicates an attempt to conceal the sweep by slowly scanning the network in an effort to beat port scan detectors.
e) Ping 0' death attack:
A DOS attack. Create IP packet which exceeds the maximum allowable size of packet of 65535 bytes.
./) Tiny Fragment Attack:
Uses small fragments to force some of the TCP header information into the next fragment.
The attacker hopes that a filtering router will examine only the first fragment and allow all other fragments to pass.
g) The Teardrop Attack:
Denial of service attack, as was the Ping 0' Death attack.
The teardrop attack is a UDP attack.
Uses overlapping offset fields in an attempt to bring down the victim host.
TABLE I. CATEGORIZA nON OF NETWORK PACKETS
Severity/Alarm low, level-l,2 Medium,level- High,level-S
level 3,4
Benign activity, Abnormal Actual attacks
are detected
Description but recorded for activity that
that are informational could be
allowed or used purposes malicious
for DOS
Probability of
an actual Very low Medium Very High
attack
Immediate No Low Yes
threat
h) Overlapping Fragment Attack:
This attack can be used to overwrite part of the TCP header information of the first fragment.
i) Unnamed Attack:
Fragments are not overlapping but are created in such a way that there is a gap created in the fragments.
Done by manipulating the offset values to ensure there are parts of the fragment, which have been skipped.
B. Severity of Rules
The signature severity represents the probability that the matched signature represents a real and immediate security threat to your systems and network.
Each signature has a default severity assigned to it and these default severities are normally adequate for most network environments.
The three severity levels are low, medium, and high. The severity is based on the alarm level.
Low level severity:
Many of the signatures configured for a low-severity level are actual informational signatures.
25
Medium level severity:
Some of these signatures are triggered on techniques that were effective in the past, but are usually no longer a threat in modem network environments.
Intrusion attempts using these legacy vulnerabilities have a low probability of being successful and, therefore, are assigned a medium- severity level.
High level severity:
Signatures that alarm with a high-severity level detect attacks that intruders use to gain access to network resources.
C. Fuzziness of Rules:
The Fuzziness of rules is indicated into a category by assigning weights to the rules.
Based on the code implemented, we have drawn the results indicating the percentage of membership in the three categories. Level-I(low), Level-2(Medium), Level-3(High)
Tackling the scenario of mapping rules: A rule is categorized into the levels as shown above.
A rule cannot be totally categorized into a single level. It may show some fraction of characteristics from other levels. Therefore fuzzification is applied to rule as explained below. Fuzziness is shown in terms of percentage.
E.g. A rule from level one may have fraction of other level's characteristics. A rule in level 3 is "SYN+FTN+different port numbers+ port number < 1023". In this rule is has content of rule one as "SYN+FTN" and also the fraction of rules from level 2. Thus such a rule from level 3 has 15% of fraction from level 2 & 5% from level 1. Thus finally that rule is categorized as 80% in level 3, 15% in level 2 and 5% in level I (overall level 3). Thus for every rule the categorization is defined as above.
These categorized rules are then checked against the packet received. Now the received packet may contain the rules from two or more levels. The packet is checked for the rules and the numbers of different rules are detected. By using this information the percentage of rules for different levels is calculated. Thus the packet is categorized into the different levels. If the percentage of rules in a packet is found to be same, then we will categorizethat into new category.
E.g. I ] a packet is received which has the following signatures:
(SYN+FIN) & (sum of fragments>65535) & (fragments coming to different ports)
This packet contains one rule from level I , one rule from level 2 and two rules from level 3. So the packet signature has 25% of level I , 25% of level 2 & 50% of level 3 characteristics.Thus the packet signature contains maximum rules from level 3(50%). Therefore this packet belongs to the level 3 category.
2] When arrived packet signature is matched with any rules which shows same percentage of any levels, then instead
of ignoring it the new category is formed for such types of packets. Consider following signature,
(Win size 1028 + SYN=l & fm=l & Identification No =39426) + (port number > 1023 &different ports)
This packet signature contains rules from levelland level 3 both. So it shows equal percentage of characteristics of level 1 and level 3. Therefore, the packet is categorized into the new level which shows equal characteristics of level 1 and level 3.
Thus, by doing the categorization of rules and packets it will be easier for the packets which will arrive in future to categorize to them any level, also it will provide means for efficient detection and to estimate the effort required to take actions .
D. Capacity of IDS
8.00
6.00
4.00
/ 2.00
0.00
1 2 3 4 5 6 7 8 9 10
Figure 5. % packet loss versus no. of packets
(Scale: X-axis-I unit=70packets, Y -axis-I unit=2% loss)
Figure 5shows the graph of number of packetsreceived versus number of packets lost forI server machine on which application was running and 5 client machines.
From figure 5we can observe that there is no packet loss till approximately 460 packets are received and after which few amount of packet loss can be seen.
Here capacity is measured in terms of loss of packets with respect to number of packets received. Tn our analysis, we sent about 600 packets and observed packet loss.Based on these observations above graph in figure 5is drawn.
IV. COMPARISON WITH EXISTING ApPLICATION (SNORT)
As shown in Table 2, the major advantage of NLDS over snort is the ability to cluster rules of intrusion and to alert network administrator of possible malicious activity inside network.
V. CONCLUSION
In this paper,the proposed network intrusion detection framework provides ability of clustering signatures to prepare a
26
more solid protection against potential network attacks. The framework also proposed a new data pre-processing approach in which we extracted about 25 different features from packets received and categorized them according to the severity of potential threat using the concept of fuzziness.
An interesting avenue for future work is predicting what kind of network patterns lead to vulnerabilities in the system by periodically analyzing the data collected in network information tables. This will also help incrementally build the signature database.
TABLE II. NIDS VERSUS SNORT
Features Snort_2.0 Our application
Packet header Yes (Rules are based
processing Yes on header
information)
Severity of packet Not alerted Alerts with a message
Network type Can work on internet Works efficiently for
traffic LAN
Packet loss Nearly 2 packets per Nearly 2 packet per
1000 packets 600 to 700 packets
Can analyze the traffic
Traffic on non- Can analyze the traffic on non- standard port
standard ports on non- standard port e.g. ftp traffic on port
other than 21
Packet payload Yes No
More than 22 rules
No. of rules About 2600 which are created
particularly for LAN
User defined rules Supported Supported
Clustering of one or N/A Supported
more rules
REFERENCES
[1] "Framework of Intrusion Detection System via Snort Application on
[2] Campus Network Environment", Mohd Nazri Ismail ([email protected]), Mohd Taha Ismail ([email protected])
[3] "Building Intrusion Pattern Miner for Snort Network Intrusion Detection System", Lih-Chyau Wuu, Sout-Fong Chen ( [email protected])
[4] C. Smith, A. Matrawy, S. Chow and B. Abdelaziz, "Computer Worms: Architecture, Evasion Strategies, and Detection Mechanisms," 1. of Information Assurance and Security, 2009, pp. 69-83.
[5] N. Sarnsuwan, C. Charnsripinyo and N. Wattanapongsakorn," A New Approach for Internet Worm Detection and Classification", Computer Engineering Department, King Mongkut's University of Technology Thonburi
[6] Lubomir Nistor," Rules definition for anomaly based intrusion detection" © 2002-2003
[7] Lambert Schaelicke, Thomas Slabach, Branden Moore and Curt Freeland Department of Computer Science and Engineering University of Notre Dame,"Characterizing the Performance of Network Intrusion Detection Sensors"
[8] Soumya Sen," Performance Characterization & Improvement of Snort as an IDS",Bell Labs
[9] S.P. Shieh, VD. Gligor, 'On a panern-oriented model for intrusion detection". Knowledge and Data Engineering, IEEE Transactions an, Vol. 9, pp.66 1-667, 1997.
[10] Snort, "Open Source Network Instrusion Detection System", http://www.snort.org/
[II] MySQL, "Open Source Database", http://www.mysql.com!
[12] JpCap, "Open Source Java library for Network Analysis", https:!/github.com:ipcapzipcap
[13] W. Lee,"A Data mining framework for constructing features and models for Intrusion Detection Systems", PhD, Thesis, Columbia University,1999
27
[14] C. Sinclair, L. Pierce, S. Matzner, "An Application of Machine Learning to Network Intrusion Detection", IEEE Computer Security Applications Conference, pp.371-377,1999
[15] Axelsson, S. (1999). Research in intrusion-detection systems: A survey. Technical report TR 98-17. Goteborg, Sweden: Department of Computer Engineering, Chalmers University of Technology.
[16] Kumar, S, (1995). Classification and detection of computer intrusions. Unpublished doctoral dissertation, Purdue University, West Lafayette, IN.
[17] Kumar, S., & Spafford, E.H. (1994). A pattern-matching model for misuse intrusion detection. In NIST (Ed.), Proceedings of the 17th national computer security conference (pp. 11--21), National Institute of Standards and Technology (NIST), Baltimore, MD.