INTERNATIONAL JOURNAL OF IMAGING SCIENCE AND ENGINEERING (IJISE)
149
Network Anomaly Detector System for Active Networks P.Jayashree1, Dr.K.S.Easwarakumar2 1
Department of Information Technology, Madras Institute of Technology, Anna University, Chennai. Department of computer Science and Engineering, College of Engineering, Anna University, Chennai Email:
[email protected]
2
Abstract—Increasing attacks necessitates the need for an efficient intrusion system for mitigating such attacks. Anomaly detection among other types of Intrusion detection(ID) plays a vital role in Intrusion detection systems(IDS). The various IDS proposed in the literature, are not complete in detecting attacks to desired probability. In this paper a complete solution to anomaly detection of intrusions in the network is drafted. A two stage detection process is assumed where the IDS performs the common pattern detection using signatures in the first stage followed by an anomaly detector in the second stage. Focus is made only on the second stage in this paper to address anomaly detection. The detection is based on network traffic analysis with less monitoring overhead and is deployed in active networks. This paper attempts to define a complete anomaly detector utilising two novel algorithms namely packet marker algorithm and mutual path algorithm to provide an efficient and reliable solution for the anomaly detection whose implementation is underway and it is expected to provide better response in terms of false positive /negative prediction and delay in prediction. Index Terms— Active network, Anomaly detection, Intrusion detection , Network traffic
I. INTRODUCTION Network security and intrusion detection systems are one of the key research areas in the networking era as the most difficult problem today is how to deal with and rely on the huge volume of information that flows across the network while many network attacks are being reported everyday. Even though many intrusion detection and few intrusion prevention systems are discussed in the literature[1],[2],[3], each has its own limitations during deployment in practice. A two stage detection process is assumed where the IDS performs the common pattern detection using signatures in the first stage followed by an anomaly detector in the second stage.. In this paper a two
stage intrusion system comprising of protocol decoder, misuse detector and anomaly detector, based on traffic pattern analysis is proposed. Main focus is given to the third stage design as a complete and efficient anomaly detector is vital at present due to increasing volume and speed of network attacks. An efficient solution taking into account the parameters of detection rate, false alarm rate, ease of
IJISE,GA,USA,ISSN:1934-9955,VOL.2,NO.1, JANUARY 2008
deployment and infrastructure adaptation for the same is discussed whose implementation is underway and it is expected to provide better response in terms of false positive /negative prediction and delay in prediction as it makes use of features of active network architecture for deploying the solution. Several approaches proposed to address the intrusion detection are all passive and tend to be isolated, and their lack of real-time network-wide coordination limits their practical use in real-time detection. On the other hand, active network is an emerging framework that increases the programmability of network components and enables application to dynamically control how packets are handled. This customized packet processing opens new ways of securing networks that was not available in traditional passive networks. Thus active networks, an emerging networking paradigm[4],provides a promising way to handle intrusions. It permits deployment of new network services dynamically and with ease. Also it employs user/application specific services to be carried out on specific packets during transit in the network.I n this paper this feature of active network is made use of to achieve a dynamic and efficient solution to combat the intruders. The rest of the paper is organized as follows. The next section discusses the active network architecture and a test bed namely ANTS. In section 3, the taxonomy of intrusions and intrusion detection systems are discussed .Section 4 gives a brief overview of the existing related literature. In section 5, we present our proposed three tier IDS and section 6 gives the implementation details of the same. Section 7 concludes the paper with the current work in progress II. ACTIVE NETWORKS Active networks differ from the traditional network in the way the data packets are handled. In traditional network the network elements do very little predefined processing on the packets and only the end systems do application specific processing. In active networks, the network nodes are active in the sense, they imitate the ends systems in carrying out any customized user/application specific processing on the packets passing through as defined by the active code. Hence active networks can aid rapid deployment of new defensive software
P.JAYASHREE, K.S.EASWARAKUMAR :NETWORK ANOMALY DETECTOR SYSTEM FOR ACTIVE NETWORKS
to thwart the threat of network intrusions and to enable such software to be placed in locations in the network where it can be effective and efficient. A. Architecture Active networks have been used as a base to provide mobility and adaptability in a number of intrusion response proposals[5].Two approaches exist to build active networks. A discrete approach[6], is one where the code to be acted upon the data packets are loaded out of phase when required in the active nodes which are nothing but programmable routers. In the integrated approach the data and the associated active code are encapsulated as a single packet called capsule and is sent to the active nodes where the active code gets loaded before execution[7].The active nodes have built in mechanism to load the capsule and an execution environment to execute the code as shown in the fig.1. The presence of distrusted code in the network node poses severe security threat and is taken care by the architecture itself and is not considered during the discussion of the paper.
Fig. 1.
Active Node Architecture
B. ANTS toolkit The active network test bed provided by ANTS toolkit is based on the capsule design that adds extensibility at IP packet level [8].The innovative properties of ANTS network stem from the interaction between capsules and active nodes. The application and the channel components are modeled on those of conventional networks. ANTS uses mobile code techniques that enable new protocols to be deployed at both end systems and intermediate nodes. The protocol incorporates code forwarding routines into each node which gets the application specific routines by a code distribution scheme. The forwarding routines are transferred to related capsule types ,a code group by the code distribution system. The capsule format used by ANTS is as depicted below. Protocol Type
Shared Header
Unique Header
Fig.2. Capsule format
III. INTRUSION DETECTION SYSTEM Monitoring security breaches in internetwork becomes crucial due to a growing number of web based services as well as intrusions .It is required to implement various systems that monitor IT security breaches. Intrusion Detection Systems (IDS) are those that have recently gained a considerable amount of interest. According to Amoroso intrusion detection IJISE,GA,USA,ISSN:1934-9955,VOL.2,NO.1, JANUARY 2008
is a process of identifying and responding to malicious activity targeted at computing and networking resources. A. Taxonomy of Intrusions Passive intrusions aim at gaining access to penetrate the system without compromising IT resources. Active intrusions result in an unauthorized state change of IT resources. Internal intrusions arise from own internal /local network. External intrusions come from outside, frequently via the Internet. B. Taxonomy of IDS Based on architecture, IDS can be cataloged as centralized when deployed in a firewall or proxy system [11] or distributed[12]. A distributed IDS consists of multiple Intrusion Detection Systems (IDS) over a large network, all of which communicate with each other. More sophisticated systems follow an agent structure principle where small autonomous modules are organized in each host [13]. The role of the agent is to monitor and filter all activities within the protected area and make analysis and a response action. Based on deployment, IDS is graded as host based IDS (HIDS) if it depends on a single host information or network based IDS (NIDS) when IDS exploits information obtained from a whole segment of network. Typical network-based intrusion systems are: Cisco Secure IDS (formerly NetRanger), Hogwash, Dragon, E-Trust IDS. Based on the response, IDS is active when it takes some actions like shutting services down, logging an intruder, dropping packets as a reaction to the intrusion and is said to be passive if it just generates some alarms or notifications the user/ application Based on the attack details and accomplishment, IDS can be broadly classified as hardware based and software based systems based on their implementation method. Hardware based IDS uses non-deterministic finite automata [14], deterministic finite automata (DFA) [15], [16]and content addressable memory (CAM) based structures[17].Software based systems employ different schemes as cited in the next section and decline in speed performance when the number of attack signatures become relatively large, since the process of information in software is performed in a sequential manner. IDS is marked as misuse detection system which is based on pattern matching using known predefined signatures of attacks and anomaly detection system that tries to detect unknown attacks using learning and traffic analyzing techniques which periodically monitor network segments for comparison of the state with the normal baseline. IV. REVIEW OF PREVIOUS IDS WORKS Depending on the technique used for detection of intrusions, different IDS are proposed in the literature. A summary is briefed here for reference based on authors in [18],[19],[20].The various IDS in the literature are summarized by Przemyslaw Kazienko & Piotr Dorosz as briefed below[10]. Using Expert systems, on a previously defined set of rules describing an attack and aggregation and correlation schemes were introduced on them. Common text string matching mechanisms are based on
150
INTERNATIONAL JOURNAL OF IMAGING SCIENCE AND ENGINEERING (IJISE)
the attack knowledge. They transform the semantic description of an attack into the appropriate audit trail format. Petri Nets approach is often used to generalize attacks from expert knowledge bases and to represent attacks graphically. In State-transition analysis an attack is described with a set of goals and transitions that must be achieved by an intruder to compromise a system. Transitions are represented on statetransition diagrams. Statistical analysis approach is a frequently used method. The user or system behavior is measured by a number of variables over time. The system uses the values for each variable along with a predefined threshold to match a typical user behavior model. Neural networks, the Bayesian Neural Network use their learning algorithms to learn about the relationship between input and output vectors and to generalize them to extract new input/output relationships.. The advantage of using neural networks over statistics resides in having a simple way to express nonlinear relationships between variables, and in learning about relationships automatically. Analogies with immunology has lead to the development of a technique that constructs a model of normal behavior of the system. Attacks that exploit flaws in the application code are very likely to take unusual execution paths and an alarm is generated using genetic programming. Using Machine learning is an artificial intelligence technique that stores the user-input stream of commands in a vector form and is used as a reference of normal user behavior profile. Applying Data mining concepts that use the process of extracting previously unknown but potentially useful data from large stores of data. Data mining method excels at processing large system logs (audit data). However they are less useful for stream analysis of network traffic.. Decision tree models allow one to detect anomalies in large databases Apart from these techniques , few Active network based solutions have also been proposed recently like the intrusion blocker structure [21],sleepy water marking packets [22]. All these systems perform well in some IDS efficiency characteristics like false alarm rate, detection efficiency, Rapidness and automated deployment. V. PROPOSED SYSTEM In this paper a novel intrusion detection cum prevention approach is proposed making use of the features of active network technology without any overhead on additional hardware or topology changes as the solution can be deployed in selective routers of the active network with ease. The proposed system involves a two layer architecture namely misuse detector and anomaly detector and is based on traffic pattern analysis as shown in fig.3.Any intruder who has intruded the packet will definitely leave some imprint in the packet, which will be exploited by the application and this key idea is being explored for detecting intrusions in the three phases.
IJISE,GA,USA,ISSN:1934-9955,VOL.2,NO.1, JANUARY 2008
.
151 IDS in Active Routers Attack Pattern Database Misuse detector
Anomaly Detector Packets in Network from source
Checked Packets forwarded in the network
Fig.3. Two stage IDS architecture
A. Misuse detector It uses pattern matching looking for a fixed sequence of bytes in a single packet. As its name suggests, it is an approach that is fairly rigid but simple to employ. Pattern matching is the technique of simply looking for patterns. Generally, this takes place at a much more granular level than protocol analysis or anomaly detection, usually within every individual packet. In our method a variant of the typical signature analysis is proposed. Instead of performing the match on every packet for signature analysis against the rule set of known attacks, packets are classified based on flows and one packet for every 5 to 10 packets per flow are analysed for misuse detection. Secondly the attack patterns are grouped based on a pre pattern analyzer and the incoming packets are scanned for attacks within one or few group of attack patterns only. This helps to lessen the amount of inspection done on every packet and this considerably reduces the delay in analyzing without any drop in detection rate. B. Anomaly detector Anomaly based signatures are typically devised to looking for network traffic that deviates from what is seen “normally.” The main problem is to first define “normal” traffic. Anomaly detection examines traffic at an even higher level than either pattern matching and protocol analysis. In our method we have defined some heuristic algorithm named as packet marker algorithm to determine if the traffic contains anomaly.In our projected method we have considered the payload part of the data packet for anomalies. Another novel algorithm, mutual path algorithm is devised to identify the best set of nodes to be designated as active nodes. The three main components are as in fig.4 aiming at low false alarm rate. To support the implementation of these algorithms the packet structure is modified with additional fields containing source authentication, previous hop address, first hop router address, message digest of flow in addition to the typical header fields.
P.JAYASHREE, K.S.EASWARAKUMAR :NETWORK ANOMALY DETECTOR SYSTEM FOR ACTIVE NETWORKS 152 P operation on these sets produces the list of nodes which a should be active as every flow should pass only through First hop router Active node Anomaly c identifier identifier detection unit. alteast one node in the set generated and hence subjected to k e IDS evaluation. t
IJISE,GA,USA,ISSN:1934-9955,VOL.2,NO.1, JANUARY 2008
3000 2500
Without Grouping
2000
Delay in ms
1500
With Grouping
1000 500
85
95
75
55
0 65
B. Anomaly Detector This module is given more focus in this paper to reduce the false alarm rate and improve the detection efficiency. The following sub modules are designed for implementation namely the first hop router identifier, active node identifier and anomaly detector. In our previous paper [24], an algorithm is defined to find the routers in the first hop from a given source. The algorithm is used to determine the first hop routers of a source node and is defined as an active node. First hop router generates a message digest (M1) using MD5 on the payload of the packet assuming that the packet might not have been intruded in the first hop itself and stores this value using a hash function generated using the source and destination address to conserve the storage space so that packets are hashed according to the flow of packets in the network. It also calculates another digest value using MD5 based on its address (M2) so as to detect attack of first hop router address field itself and includes it in the capsule. It is assumed that the message digest functions are global functions known to all active routers for this IDS application. The checking at each and every router unnecessarily increases the delay in the system linearly with the number of the nodes. To avoid the escalation, we’ve dynamically configured the network so that only selected routers at strategic positions do the checking. The ideal placement of active routers for this application is identified/derived using the mutual path algorithm devised as follows. Mutual path algorithm computes all mutually exclusive paths for a flow in the network. These are depicted as set of nodes. Intersection
35
A. Misuse Detector It is implemented using the multi-pattern approach of Boyer-Moore which is fast for few rules and hence the pattern clustering technique is adopted in our method. To improve the efficiency of the system implemented and to reduce the delay, the patterns have been grouped according to the similarity in their content into four classes. The system checks for the obvious presence of the pattern group by checking against the characters forming the group.
45
The IDS solution runs selectively on active networkenabled routers. There are three important modules in the system. They are Application, Protocol and capsule. Protocols are the unit in which the network is customized. They serve to group related capsule types for use by the network. Capsules are the functional units that are transferred across the network examining which, the routers carry out the intrusion detection in the system. Applications are the entities that make use of the network to send and receive capsules as well as run independent activities
25
VI. IMPLEMENTATION AND INFERENCES
5
Fig.4 Components of anomaly detector
Each packet carries a field for first hop router address and some routers in the path are identified as active routers for IDS implementation. These routers on receiving the packets generate M2 value based on first hop field in the capsule and verify the capsule M2 field. On guaranteeing with the first hop router address, the active router computes the payload digest M1 and sends a probe packet directly to the first hop router to confirm the value before forwarding the packet. Else it drops the packet intimating the source as a means of prevention. The only overhead is the sending of probe packets between active nodes and source and since not all nodes are active and not all packets are verified, the number of probe packets introduce very little traffic compared to heavy data traffic in the network. Subject to the results in terms of detection rate and false alarm rate the method can be applied on every packet traversing through active nodes, the system is tested using several topologies and results are discussed for a sample topology using ANTS tool with two legal sources, two destination nodes, an unknown host depicted as intruder and two active routers. Some of the factors affecting the performance with pattern matching include pattern sizes, pattern group sizes, pattern character case sensitivity. The search done with pattern matching can be optimized if the different patterns can be grouped based on some other criteria. It is better than unclustered pattern list as found in fig.5.
15
.
No of Patterns
Fig.5. Performance Analysis of Pattern matching
It is claimed that when the IDS is deployed on selective active nodes the performance is improved as shown in fig.6. 800
Delay in ms
600
Check at all routers
400
At selected active routers
200 0 5
6
7
8
9
10
No of Nodes
Fig.6. Performance Analysis for Anomaly Detection
INTERNATIONAL JOURNAL OF IMAGING SCIENCE AND ENGINEERING (IJISE) 153 [15] T.K. Lee, S. Yusuf, W. Luk, M. Sloman, E. Lupu and N. Dulay, VII. CONCLUSION AND WORK IN PROGRESS ”Compiling Policy Descriptions into Reconfigurable Firewall In the internetworking era, Intrusion detection and Processors”, Proc. Symposium on Field-Programmable Custom Computing Machines, 39–48, 2003. prevention is becoming crucial every day following different D Carver and B.L.Hutchings, “Assisting Network Intrusion types of attacks. Active networks-based solutions to intrusion [16] R.Franklin, Detection with reconfigurable Hardware”,Proc. Symposium on Fieldresponse problems have been explored and assuming that Programmable Custom Computing Machines, 2002. active network capable routers become widespread in the [17] M. Gokhale et al, Granidt,”Towards Gigabit Rate Network Intrusion Detection Technology”, IEEE International Conference on Fieldfuture, the active network based two stage intrusion detection Programmable Technology (FPT), 404–413, 2002 cum prevention system is designed and developed. These [18] Srilatha Chebrolua, Ajith Abrahama, Johnson P. Thomasa,”Feature deduction and ensemble design of intrusion detection systems monitor network traffic to identify use, misuse or systems”,Computers & Security (2004) abuse of network data. The proposed system is scalable and [19] J. Ragsdale, C.A. Carver, J.W. Humphries, U.W. Pooh, “Adaptation adaptable taking into account the benefit of active network techniques for intrusion detection and intrusion response systems”, technology. The first stage of the proposed system was Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, 2000 implemented in active network test bed and analyzed for [20] Axelsson S.,”Intrusion Detection Systems: A Taxomomy and performance measures with traditional networks. The Survey”,Technical Report No 99-15, Dept. of Computer Engineering, implementation of the second stage is in progress. The attack Chalmers University of Technology, Sweden, March 2000, traffic is generated manually for testing. After the complete [21] William La Cholter ET AL., “IBAN: Intrusion Blocker based on Active Networks”, Proceedings of the DARPA Active Networks Conference system is ready in near future it is decided to evaluate the and Exposition , IEEE 2002 exact IDS parameters using benchmark intrusion data sets and [22] Xinyuan Wang, Douglas S. Reeves, S. Felix Wu Jim Yuill,” Sleepy Watermark Tracing: An Active Network-Based Intrusion Response analyzed for better performance in terms of high detection rate Framework”,Defense Advanced Projects Agency. and low false alarm rate. Moreover sequencing and frequency [23] Han-Pang Huang and Chia-Mmg Chang,”An Active Network-Based of packets in flow can also be considered as a design Intrusion Detection and response Systems “,Proceedings of the 2004 parameter for more accurate results. It is concluded that the IEEE International Conference on Networking, Senring & Control network intrusion detector is to be viewed as a intelligence [24] P.Jayashree ,K.S.Easwarakumar,”An alternative approach to DDoS attack defense in active networks”, Procedings of international device, not just a security device. conference on Information security, Pondichery Engineering college,India,Dec.2005. [25] N. S. Lau and L. E. Schimmel,”Intrusion Detection System Models”, VIII. REFERENCES Survey Paper, 2004. [1]
[2]
[3]
[4] [5] [6] [7]
[8]
[9] [10] [11]
[12]
[13]
[14]
Sandhya Peddabachigari,Ajith Abraham,Crina Grosan,Johnson Thomas,” Modeling intrusion detection system using hybrid intelligent systems”,Journal of Network and Computer Applications,June 2005. X. Y. Wang,” Survivability through Active Intrusion Response”,In Proceedings of 3rd IEEE Information Survivability Workshop (ISW2000), October 2000. H. F.Lipson,”Tracking and tracing cyber-attacks: Technical challenges and global policy issues", Special Report CMU/SEI-2002-SR-009, CERT Coordination Center (2002). K. L. Calvert, S. Bhattacharjee and E. Zegura,” Directions in Active Networks”, IEEE Communication Magazine, 1998 D.Teennenhouse and D.J.Wetherall, ”Towards active network architecture”, Computer communications review,2006. Liu et al.,” Active security support for active networks”, IEEE transactions on systems ,man and cybernetics,2003 D.J.Wetherall et al., ”Active network vision and reality:lessons from a capsule based system”, 17th ACM symposium on operating systems principles. D. Wetherall, J. Guttag and D. Tennenhouse,” ANTS: A Toolkit for Building and Dynamically deploying Network Protocols”, In Proceedings of IEEE OPENARCH ’1998. Ryon Packer,” A Basic Guide to Intrusion Detection” , web white paper,2002 Przemyslaw Kazienko & Piotr Dorosz,” Intrusion Detection Systems (IDS)”, web white paper 2004 E. Lundin, E. Jonsson,”Survey of research in the intrusion detection area”,Technical report 02-04, Department of Computer Engineering, Chalmers University of Technology, Göteborg January 2002, C. Krügel, T. Toth,”Distributed Pattern Detection for Intrusion Detection”, Conference Proceedings of the Network and Distributed System Security Symposium NDSS '02, 2002 C. Krügel, T. Toth, “Applying Mobile Agent Technology to Intrusion Detection”, ICSE Workshop on Software Engineering and Mobility, Toronto May 2001 C. R. Clark and D. E. Schimmel,” A Pattern-Matching Co-Processor for Network Intrusion Detection Systems”, IEEE International Conference on Field Programmable Technology (FPT), 68–74, 2003.
IJISE,GA,USA,ISSN:1934-9955,VOL.2,NO.1, JANUARY 2008
.
