Apply Data Mining to Defense-in-Depth Network Security System

Apply Data Mining to Defense-in-Depth Network Security System Nen-Fu Huang+,*, Chia-Nan Kao**, Hsien-Wei Hun**, Gin-Yuan Jai*, Chia-Lin Lin* *Department of Computer Science, National Tsing Hua University, Taiwan **Institute of Communication Engineering, National Tsing Hua University, Taiwan

+ Broadweb Corp., Science-based Industrial Park, Hsin-Chu, Taiwan E-mail: [email protected] Abstract

Two main technologies used by current IDS/IPS to detect attacks are: misused detection and anomaly detection. The former technology is signature-based, thus, using some pre-defined signatures to detect the attacks. A normal flow containing one of the signatures may confuse an IDS and lead to a false positive. The latter technology observes the normal flow (based on protocols, or even applications) for a period of time first and then send out the alerts when the real traffic pattern does not match the normal one. This paper concentrates on how to enlarge the power of data mining on detecting attacks over a network. There are many data mining tools been employed for the purpose of intrusion detection. For example, in [1], an agent-based mining architecture was employed to discover consistent and useful patterns [12] of features that describing program and user behavior. Two experiments of learning intrusion models for classification rules were made: SENDMAIL data and TCPDUMP data. The same mining tool – RIPPER [2-3], a classification rules learning program, is used in both experiments and for the sake of simplicity, we will take only the TCPDUMP part as our test environment in this paper. Many researches on applying data mining to IDS have been proposed, such as IDES [8], NIDES [9], EMERALD [10], Haystack [11] and JAM [12]. Many data mining tools also have been proposed and experienced recently, for example, C/See 5.0 is derived from classical theorem of statistics and data mining [14]. Another data mining tool, RIPPERk, has been published by William Cohen [2], and a modified version been presented later [3]. The RIPPERk algorithm is based on the IREP algorithm from C 4.5. It improves the effectiveness and obtains a better error rate than IREP. RIPPER is an implementation of the RIPPERk algorithm over the UNIX platform with several advantages over other learning techniques. Recent versions of RIPPER also support bag-valued attributes [16].

This paper proposes a defense in depth network security architecture and applies the data mining technologies to analyze the alerts collected from distributed intrusion detection and prevention systems (IDS/IPS). The proposed defense in depth architecture consists of a Global Policy Sever (GPS) to manage the scattered intrusion detection and prevention systems, each of which is managed by a Local Policy Server (LPS). The key component of the GPS is the security information management (SIM) module where data mining technology is employed to analyze the events (alerts) collected from the LPSs. Once a DDoS attack is recognized by the SIM module, the GPS will inform the LPS (IDS/IPS) to adjust the thresholds immediately to block the attack from the sources. To evaluate the effectiveness of the proposed defense in depth architecture, a prototyping is implemented, where three different data mining tools are employed. Experiment results demonstrate that for detecting the DDOS attacks, the proposed data mining-based defense in depth architecture performs very well on attack detection rate and false alarm rate. Keywords: Defense-in-depth, Data Mining, Network Security, IDS, IPS.

1. Introduction The number of network security incidents grows with the scale of Internet year by year. The attacks can be classified as some categories: backdoor, password guessing, buffer overflow, port scanning, denial-of-service (here after referred to as DoS), distributed denial-of-service (here after referred to as DDoS), etc. The CERT® Coordinate Center [6], a center of Internet security expertise, has reported 831 vulnerabilities while the SNORT [7], has 2200 rules in the signature databases. DoS is harmful attack. The objective of an aggressor enforcing a DoS attack is not to intrude the designated system but to consume the resources of it. By sending malicious IP, ICMP, UDP or TCP packets to the designated system from single PC, an aggressor can easily do this because of the leak of TCP/IP protocol, which always allows a user to send a lot of packets. -------------------------------------------------------------------------------This work was supported by the National Science Council, Taiwan, under contract NSC-89-E-FA04-1-4, NSC-93-2213-E-007-072 and NSC-93-2752-E-007-002-PAE.

The other famous data mining tool is the IBM® DB2 Intelligent Miner for Data (here after referred to as DB2Miner) [15]. While C/See 5.0 and RIPPER only implemented learning algorithm for classification, the DB2Miner is an omni bearing one [15]. DB2Miner also supports multi platforms such as AIX, Solaris, Windows, etc. It uses proven data mining algorithms to gain valuable knowledge inside the training data.

1 Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

2.

global database successfully the connection is closed. The mission of SIM module is to detect DDoS attacks by employing the data mining technologies.

Defense-in-Depth Network Security Architecture

The proposed defense-in-depth network security architecture consists of many LANs connected by the Internet as shown in Figure 1.

3.1 Data mining framework

LPS

The system architecture of the proposed SIM module is shown in Figure 2 which consists of an online detecting phase and an offline training phase.

LAN IDS/IPS Router DB

Backbone

GPS IDS/IPS

IDS/IPS

Router

LAN

IDS/IPS LAN

LPS

LPS

LPS LPS: Local Policy Server GPS: Global Policy Server

Figure 1. The proposed defense-in-depth network security architecture. This architecture is very popular for example, an enterprise network may contain a headquarter and many branch offices. For each LAN, an IDS/IPS is equipped with a local policy server (LPS). For the headquarter, in addition to the IDS/IPS/LPS, a global policy server (GPS) is also equipped to monitor and control the behaviors of the IDS/IPS scattered over the branches. Each LPS equipped with a database to store the signatures as well as the collected local alerts/logs. The GPS is also equipped with a database for storing the logs sent from the LPSs. The security information management (SIM) module of the GPS has the responsibility to analyze the collected logs with data mining technologies to identify if there is any DDoS launched on the network. As long as DDoS attacks are identified by the GPS (unable been identified by individual IDS/IPS), it will send commands to control the scattered LPS (IDS/IPS) to eliminate the attacking packets leaked from the LANs by adjusting the detecting thresholds dynamically.. 3.

Figure 2. System Architecture of SIM module There are four main components in the online detecting phase: (1) The online data miner, which classifies the records in active database to detect attacks. (2) The rules tuner, which runs the machine learning algorithm and tunes the parameters of rules accordingly. (3) The GLS, which receives the logs from LPSs and stores them into the active database, and (4) The policy dispatcher, which waits for the commands from the online miner. The Alarm Manager (AM) is prepared to prompt the administrator when an attack is detected by the Online Data Miner (ODM). If an alarm is prompted, the AM asks for a response of confirmation. There are three types for confirming: an attack, a false alarm or an unclear event. The AM will record the response to a database and invoke the Machine Learning Mechanism (MLM) to learning about the response. To build the classifiers for online detecting, three steps are established: (1) Data preprocessing: we should first select some records from the active database, and manually mark every record as DDoS relative or DDoS non-relative. And then reformatting the records to input format of designated data mining tool, (2) Run the data mining tool: we will get some rule set that is learned from the training data sets we prepared, and (3) Remodeling: the rule set is not yet ready to be run, we should remodel them to an executable

System architecture of Global Policy Server

The architecture of the GPS consists of four components: Security Information Management (SIM) module, Global Log Server (GLS), GUI, and the Global Database. The GUI provides the administrator a convenient interface to control the GPS. The GLS handles all the logs sent from the LPSs. To manage a large number of LPSs, the GLS should be able to handle many log connections simultaneously. To do this, the GLS props a fix number of threads to accept the log connection requests. Each thread can deal with a log connection, when the log is stored into to

2 Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

z Mix-2 type (12 types included): TCP-SYN, TCP-IP, TCP-ICMP, TCP-IGMP, TCP-UDP, UDP-IP, UDP-ICMP, UDP-IGMP, IP-SYN, IP-ICMP, IP-IGMP, ICMP-IGMP

type. 4.

System Implementation and Experiment Results

z Mix-3 type (5 types included): TCP-SYN-IP, TCP-SYN-UDP, SYN-UDP-IP, SYN-IP-ICMP, UDP-ICMP-IP

The data flow of the online detecting phase is separated into three stages (shown in Figure 5): loading, monitoring and event handling.

z Mix-4 type (3 types included): SYN-TCP-ICMP-IP, SYN-TCP-UDP-IP, TCP-UDP-ICMP-IP

z Loading: in this stage, all drivers (APIs) are loaded. One of the reasons to do a preloading is that the performance is first considered than the memory cost. The classifiers are also loaded and initialized at this stage.

4.2.1

Detection Rate

We have tested every type of event 30 times to check if the system can detect it or not, and a summarization of each class is also provided as shown in Figure 3. We note that all the detection rates are over 95%. And if the IGMP related events are not counted in, the detection rates can be about 99%, which is a really good result.

z Monitoring: this stage is an endless loop which first schedules the threads that correspond to classifiers periodically, then waits and sees if there is any attack or not. If there is, it will gather the information and pass them to the event handling stage. z Event handling stage: if an event is passed to this stage, it first uses the policy API to send commands to LPSs, waits for a respond for this event (alarm) and stores it into a share memory, and then invokes the MLM to learn about the result.

In our system implementation, IPS NetKeeper [17] and IDS SNORT [11] are employed. The detailed event information from NetKeeper is stored in two independent tables while the SNORT stores in eight. 4.1 Learning Results At an 18 days period, the NetKeeper has detected 886,764 events. At a 5 days period, the SNORT has detected 11,070 events. Since frequently repeated data is not meaningful for classification mining, we randomly removed repeated logs before classification mining, such as RIPPER and See 5.0. Table I shows the learning results, including the number of learned rules and the learning time required. For example, for the Classification rules, the RIPPER, See 5.0 and DB2Miner take 4 minutes and 25 seconds, 9 minutes and 10 seconds, and 5 minutes and 55 seconds, respectively.

Figure 3. Detection Rate of the Experiment

4.2 Intrusion Detection Results

4.2.2

Consider the possible behaviors of an aggressor, five classes of events are included in the experiment: single-class, mix-2 class, mix-3 class, mix-4 class and all-class, which are discriminated by the attacking flows. Any type of single class has one kind of flooding flow while any of mix-2 class has two kinds of flooding flows, respectively. There are total 30 types of events, listed as below, shown in this experiment.

The definition of the number of false alarms here is that the number of false negatives plus the number of false positives. The false alarm rates of the experiment are shown in Figure 4. Again, the false alarm rates of IGMP-related events are abnormally high. If we count IGMP-related events out, we can get an average about 1% false alarm rate, which is a competitive result. In fact, since the experiment is not completed at a long period of time, we can find out that some messages just mess up together. And the messages indeed imply another attack. In other words, if we take a longer interval between the events in the experiment, the false alarm rate can absolutely be improved more.

z Single type (8 types included): SYN Flooding, TCP Flooding, UDP Flooding, UDP Smurfing, IP Flooding, ICMP Flooding, ICMP Smurfing, IGMP Flooding.

False Alarm Rate

3 Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

[5]

[6] [7] [8]

[9] [10] Figure 4. False Alarm Rate of the Experiment [11]

5.

Conclusions A defense in depth network security architecture that applies data mining technologies to analyze the alerts collected from distributed IDS/IPS has been proposed in this paper. The proposed defense in depth architecture consists of a GPS to manage the scattered intrusion detection and prevention systems, each of which is managed by a LPS. A security information management (SIM) module is designed for the GPS where data mining technology is employed to analyze the events (alerts) collected from the LPSs. Once a DDoS attack is detected by the SIM module, the GPS will inform the LPS (IDS/IPS) to adjust the thresholds immediately to block the attack from the sources. To further evaluate the effectiveness of the proposed architecture, a defense-in-depth network prototyping is implemented, and three data mining tools, RIPPER, See 5.0 and DB2Miner are employed for detecting 30 types of events. Experiment results demonstrate that for detecting the DDOS attacks, the proposed data mining-based defense in depth architecture performs very well on attack detection rate and false alarm rate.

[12]

[13]

[14] [15] [16] [17]

Based Intrusion Detection Systems for Denial-of-Service Attacks”, Proceedings of IEEE International Conference on Infotech and Infonet (ICII 2001), pp. 1-6. R. Srikant, “Fast Algorithms for Mining Association Rules and Sequential Patterns,” PhD dissertation, University of Wisconsin - Madison, 1996. CERT® Coordination Center (CERT/CC), http://www.cert.org/ The Open Source Network Intrusion Detection System, SNORT, http://www.snort.org/ T.F. Lunt and R Jagannathan, “A Prototype Real-Time Intrusion-Detection Expert System,” In Proceedings of the IEEE Symposium on Security and Privacy, 1988, pp. 18-21. D. Anderson, T. Frivold and A. Valdes. “NIDES: A Summary”, http://www.sdl.sri.com/nides/index5.html P.A. Porras and P.G. Neumann,”EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances, “ In Proceedings of the National Information Systems Security Conference, 1997, pp. 353-365. S. Smaha, “ Haystack audit trail analysis system,” Status Report HS-STAT.TXT Haystack Laboratories, Colorado, Aug. 1990. W. Lee and S. Stolfo, “Data Mining Approaches for Intrusion Detection,” In Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, USA, 1998, pp.79-94. D. Barbar, J. Couto, S. Jajodia, and N. Wu, “ADAM: Detecting Intrusions by Data Mining,” Proceedings of the IEEE SMC Information Assurance Workshop, West Point, NY, 2001, pp.1100-1130. RuleQuest Research Data Mining Tools, C/See 5.0, http://www.rulequest.com/ IBM DB2 Intilligent Miner, Intelligent Miner for Data, http://www-3.ibm.com/software/data/iminer/ William W. Cohen, RIPPER, http://www-2.cs.cmu.edu/~wcohen/ BroadWeb Corporation, NetKeeper – IPS, http://www.broadweb.com/

References Table I. Learning Results [1]

[2]

[3]

[4]

W. Lee, S.J. Stolfo, “A Framework for Constructing Features and Models for Intrusion Detection Systems”, ACM Transactions on Information and System Security, Vol. 3, No. 4, Nov 2000, pp.227-261. W.W. Cohen, “Learning trees and rules with set-valued features”, Proceedings of the 13th International Conference on Artificial Intelligence, Portland, Oregon, 1996, pp. 709-716. W.W. Cohen, “Fast efficient rule learning”, Proceedings of the 12th International Conference on Artificial Intelligence, Hagen, Germany, 1995. M. Li, W. Jia, W. Zhao, “Decision Analysis of Network-

Rules Classification Rule Association Rule Frequent Rule

RIPPER 14/4m25s

See 5.0 12/9m10s

DB2Miner 9/5m55s

-

-

3/6m10s

-

-

5/5m0s

4 Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE