a victim V (host or router) by sending irrational packets to make V's software work ..... structure supported by MYSQL DBMS, and is implemented on memory to ...
Integrating Grid with Intrusion Detection Fang-Yie Leu, Ming-Chang Li, Jia-Chun Lin, Fu-Yi Yang* Department of Computer Science and Information Engineering, Tung-Hai University, Taiwan. *Department of Electronic Engineering, Chienkuo Technology University, Taiwan. Corresponding email: {leufy, g932811}@thu.edu.tw management, allocation and security are supported by Grid itself. Besides momentary and Chronic DoS/DDoS, GIDS can also detect logical attacks, which are performed by exploiting the vulnerabilities of system softwares. Logical attackers crash a victim V (host or router) by sending irrational packets to make V’s software work improperly [1]. In this article, a twophase detection process is proposed. The first phase detects logical and momentary attacks. Chronic attacks are detected in the second phase. The rest of this article is organized as follows. Section 2 describes different types of attacks, IDSs and an overview of Gird. Section 3 states GIDS architecture and algorithms. Experimental results are shown in section 4. Section 5 concludes this article and outlines the future work.
Abstract In recent years, Distributed Denial-of-Service (DDoS) and Denial-of-Service (DoS) are the most dreadful network threats. Single-node IDS often suffers from losing its detection effectiveness and capability when processing enormous network traffic. To solve the drawbacks, we propose a Gridbased IDS, called Grid Intrusion Detection System (GIDS), which uses Grid computing resources to detect intrusion packets. For balancing detection load, Score Subtraction Approach (SSA) and Score Addition Approach (SAA) are deployed. Furthermore, to effectively detect intrusions, a twophase packet detection process is proposed. The first phase detects logical and momentary attacks. Chronic attacks are detected in the second phase. Experiments are also performed and the results show that GIDS is truly an outstanding system in detecting attacks. Keyword: GIDS, momentary attack, chronic attack, SSA, SAA, Grid.
2. Related Work and Background 2.1. Attacks
1. Introduction From operational viewpoint, attacks can be classified into logical, flood and reflective. Land and Ping-of-Death attacks are typical examples of the former. Flood attacks send huge number of packets to consume V’s resources, such as Memory, CPU time and bandwidth. Packets can be TCP, UDP, ICMP or a mix of them. A flood attack can be DoS or DDoS. Reflective attacks, also named indirect attacks, penetrate a group of innocent nodes, such as DNS servers, HTTP severs or routers, to make them act as reflectors. Packets with V’s address as source address are sent to reflectors which then respond packets to flood V. Any protocol supporting response, such as ICMP error messages, SYN with its SYN-ACK and SYN-ACK with its corresponding RST, can be employed to launch reflective packets [6]. Often they are normal ones coming from legitimate addresses. Hence, it is difficult to detect.
Recently Denial-of-Service (DoS) and Distributed Denialof-Service (DDoS) have become the most serious and dreadful threats coming from Internet. Generally, packets of DoS/DDoS are sent within a short period of time, e.g. one or two seconds. We call them momentary DoS/DDoS attacks. Many network security devices can detect these attacks. However, clever intruders may prolong attack period to ten or twenty seconds or change attack frequency to evade and paralyze Intrusion Detection Systems (IDS). We call them chronic attacks. IDS and firewall are the most widely equipped security devices. They are often installed on a single-node host. It may easily lose its detection capabilities, or even be crashed by high volume of flood attacks. In this article, we propose a Grid Intrusion Detection System (GIDS), which deploys Grid to solve these problems. Grid computing aggregates distributed resources and technologies to form a dynamic and distributed virtual organization over a LAN or WAN. With high-performance resources and excellent throughout, it is frequently used to process difficult and complex problems [2, 3]. Grid merits three-fold. First, high detection workload is shared by nodes. Second, system crash from handling enormous traffic can be avoided. Third, resource access,
2.2. IDS Park and Lee in 2002 [4] raised a route-based packet filtering (RPF) approach checking whether each packet comes from a correct link and source. Moreover, many IDS prototypes have been developed in recent years, such as distributed attack detection (DAD) [5], Multics Intrusion Detection and Alerting System (MIDAS) [7] and Distribution
1
Dispatcher uses TCPDUMP tool to gather network flows from switch’s mirror port. Flows of every two seconds are stored as a file, named flow file, whose size varies depending on current network traffic. When attack happens or traffic is busy, the size is relatively larger; otherwise, it is smaller. Each time Dispatcher gathers a flow file, it sends the size to Scheduler asking for allocating a DN. Finally, Dispatcher transfers the flow file to the DN by GridFTP and uses “globusjob-run” command to initiate a detection task.
Intrusion Detection System (DIDS) [8]. However, most of their analyses are comparatively slow and computationally intensive.
2.3. Grid Computing Grid was proposed in the mid 1990s and has been widely used in many areas, such as bioinformatics, medicine, astronomy, chemistry, agriculture, business and engineering design, to solve large-scale and complex problems [2]. Today, many organizations such as Compaq, Sun Microsystems, Fujitsu, Hitachi and NEC fall into Grid research. They have adopted Globus Toolkit, developed by USC's Information Sciences Institute (ISI) and Argonne National Laboratory, as their basic platform. Globus Toolkit is an open-architecture, consisting of security, information infrastructure, resource management, data management and communication components. It facilitates creation of usable Grids, enabling high-speed coupling of people, computers, databases, and instruments [3].
3.2 Scheduler The computing environment of GIDS is dynamic and scalable. Therefore, properly allocating resources, balancing network load and improving detection speed are necessary. MDS collects feature information (FI), such as processor grade (PG), processor load (PL), memory size (MS), memory load (ML), I/O speed (IS) and bandwidth (BW) etc, from DNs. A score table is generated for each feature to show its possible scores. Table 1 illustrates processor load score table. A feature performing better or now in its better status has higher score. Scheduler inquires FIs from MDS by using LDAP (Light weight Data Access Protocol). It also references scores tables to calculate FIs’ scores for each DN and records them in Score Book (SB), which is a table with several attributes, one corresponding to one FI. SB has a special attribute TSC (total score) to hold the total scores of the DN.
3. GIDS We employ a GIDS in each Network Management Units (NMU), such as enterprise’s Intranets and campus networks, to detect those packets transmitted to local NMU. GIDS consists of Dispatchers, Scheduler, Detection nodes (DNs), Database and Chronic Detector (CD) (see Figure 1). Dispatcher locates at core router’s outgoing port and is responsible for distributing network flows and jobs. Scheduler collects, scores and allocates available computing resources. DN inspects network packets to detect logical and momentary attacks. Each DN has a MDS (Monitoring and Directory Service) component, supported by Globus Toolkits. Database is the pool collecting detection and intruders’ information. CD detects chronic attacks.
Table 1. The score table of processor load Processor Load (PL)
scores
0% ≤ PL
