1 idsic: a modeling of intrusion detection system with identification capability pei-te chen,...

1

IDSIC: A Modeling of Intrusion Detection System with

Identification Capability

Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih

Cryptology & Network Security Lab.

Electrical Engineering Department

National Cheng Kung University

2Cryptology & Network Security Lab.

Outline

1. Introduction

2. Traditional IDS model

3. A New model: IDSIC

4. Implementation issues of IDSIC

5. Conclusion


1.Introduction Three fundamental functional components of

intrusion detection system (IDS) Collection

collects the different sources of information Detection

analyze the information sources Response

notifies the system managers when or where an intrusion happens

Active measures & Passive measures


1.Introduction (cont.) In some security standards, e.g., ISO 17799,

it suggests that there should be an inner auditor periodically checks the security issues in the enterprise networks

In order to discover the real security holes or vulnerabilities, the security tools using by the auditors are the same tools used by the outside hackers


1.Introduction (cont.) These tests can be separated into two

situations Rehearsal

the auditors notify the system managers when the security auditing starts and how the security tests go on

both the system managers and the auditors know scenarios of security tests, the testing results in this situation are very little


1.Introduction (cont.) auditors imitate hackers’ behaviors when

performing security test The system managers do not know when,

where, and how the tests will take place in advance

active response measure would enable self-protecting ability

passive response measure will alert much alarms notifying the system managers to cope with


1.Introduction (cont.) Lee et al. propose a cost-sensitive mod

el for IDSs by using some major cost factors, such as damage cost, response cost, operational cost, etc, to evaluate the total cost of IDSs

IDSs should minimize these costs

W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2, 2002.


Motivation The traditional IDSs (TIDSs) do not con

sider the behavior of the security auditors.

We are motived to study whether the IDSs’ cost is minimal in the top-secret enterprise network with security auditors.


2.Traditional IDS model Traditional IDSs (TIDSs) requirements Roles and costs in TIDSs


TIDSs requirements Detection of known attacks

should have the ability to determine the malicious attackers

Real-time/near real-time analysis analyze information sources gathered by the IDS sensor

as soon as possible Minimal resource

use the minimal resource in the systems when monitoring High accuracy

make sure the detection is correct and lower the false alarms

J. Cannady. An Adaptive Neural Network Approach to Intrusion Detection and Response. Ph.D Thesis, Nova Southeastern University, 2000.


The roles in TIDSs Hackers

People who attempt to gain unauthorized access to a computer system. These people are often malicious and have many tools for breaking into a system.

System Manager (SM) the person who takes charge to minimize the use

of excess, network management, and system maintenance costs. If a system under some attacks results IDSs alarms, they have to make efforts to find out where the problem is.


The roles in TIDSs (cont.) Detection System (DS)

the system that monitor the events occurring in protected hosts or networks and analyze them for signs of intrusions.


The roles and relationships in TIDSs

Servers

Internet

RouterIntranet

SMs

Hackers

Attack

Collection

Detection

Response

DS


The costs of TIDSs damage cost (DCost)

the cost of damage caused by hackers when IDSs do not work appropriately

response cost (RCost) the costs of actions when response components g

enerate alarms operational cost (OpCost)

the cost of processing and analyzing the activities of events

W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2, 2002.


The costs of TIDSs (cont.) False Negative cost is the cost of not

detecting an attack, but an attack really happened.

False Positive cost occurs when normal behavior is misidentified as the attack .

True Positive cost means the detection cost when attacks really happen.

True Negative is incurred when an IDS correctly decides there are no attacks.


S i t u a t i o n C o n s e q u e n t i a l C o s t

( C C o s t ) C o n d i t i o n

F a l s e N e g a t i v e ,

F N )( eDCost

)( eRCost i f RCost(e)DCost(e) C A S E 1 F a l s e P o s i t i v e ,

F P 0 i f RCost(e)DCost(e) C A S E 2

)()( 1 eDCosteRCost ,

10 1 i f RCost(e)DCost(e) C A S E 1 T r u e P o s i t i v e ,

T P )( eDCost i f RCost(e)DCost(e) C A S E 2

T r u e N e g a t i v e ,

T N 0

The costs of TIDSs (cont.)

1: the function of the events’ progress


The costs of TIDSs (cont.)

Ee

eOpCosteCCostECostCumulative ))()(()(

Hackersby caused set event

Hackersby caused set event

:E However

SA

H

E

E

set) event (theEe


3.A New model: IDSIC Roles and components in IDSIC New Requirements in IDSIC Cost analysis in IDSIC


Roles in IDSIC Security Auditor (SA)

A person appointed and authorized to audit whether the security equipments work regularly or not by using the vulnerability testing tools.

One of security auditors’ main works is to check the security holes or vulnerabilities in the system.

Note: traditional IDSs have no abilities to distinguish the security auditors and hackers.


Roles in IDSIC (cont.) Detection System with Identification Capabilit

y (DSIC) One type of DS that runs the same function of DS.

However, it has an extra functionality to distinguish between the roles of hackers and SAs.

Fingerprint some secret information is used to let DSIC disting

uish the difference between hackers and SAs


Components in IDSIC In IDSIC, we include the basic components s

uch that collection, detection, and response components in TIDSs

The fingerprint adder use fingerprint generation algorithms calculating a

nd adding the fingerprint into the packets The fingerprint checker

include some validation algorithms that help DSIC to differentiate hackers’ attack and SAs’ tests from packets


The roles and components in IDSIC

Servers

Internet

RouterIntranet

SMs

Hackers

Attack

SAs

FingerprintAdder

Collection

Detection

Response

DSIC

Fingerprintchecker


New Requirements in IDSIC Generating fingerprint ability

SAs must have the ability to calculate the fingerprint

The needed power for calculating fingerprint must be as less as possible

Validity ability DSIC needs to have the validity ability to determin

e if any fingerprint in the packets this ability of determination must be as fast as pos

sible


New Requirements in IDSIC (cont.) Security

Hackers cannot generate a fingerprint without the SAs’ secret

The probability of forging a fingerprint is as small as possible


Cost analysis in IDSIC The damage cost (DCost) could be divided into

two parts HDCost(e) means the damage cost caused by hack

ers that may harm to the systems SDCost(e) is the amount of security testing cost that

may damage to the systems caused by SAs HDCost(e) >> SDCost(e)

the response cost (RCost) will also be separated into two parts HRCost(e) and SRCost(e) HRCost(e) = SRCost(e)


Cost analysis in IDSIC (cont.)

False Negative (FNIC)

False Positive (FPIC)

10 ),()( 22 eSDCosteHDCostFNIC

)eRCost()eif DCost(

)eRCost()eif DCost()eRCost(

FPIC

0

CASE 1

CASE 2


Therefore, FNIC < FN

Therefore, FPIC FP



True Positive (TPIC)

True Negative (TNIC) =0

HRCost(e)

SDCost(e))ε(e)if (HDCost

HRCost(e)

SDCost(e))ε(e)if (HDCost

SDCost(e)εHDCost(e)

,εε

,SDCost(e))ε(HDCost(e)+ εHRCost(e)

TPIC

3

3

3

31

31

10 CASE 1

CASE 2


Therefore, TPIC TP


S i t u a t i o n C C o s t i n T I D S I C C o s t i n I D S I C C o n d i t i o n

F N o r F N I C )( eDCost 10

),()(

2

2

eSDCosteHDCost

)( eRCost )eRCost( C A S E 1 F P o r F P I C

0 0 C A S E 2

10

),()(

1

1

eDCosteRCost

10

,

31

31

,

SDCost(e))(HDCost(e)

+ HRCost(e) C A S E 1

T P o r T P I C

)( eDCost )()( 3 eSDCosteHDCost C A S E 2

T N o r T N I C 0 0

CCost v.s. ICCost



OpCost(e) is similar in TIDS and IDSIC CCost(e) in TIDS is greater than ICCost

(e) in IDSIC IDSIC could have smaller CumulativeCo

st(E) than TIDS.

Ee

eOpCosteICCostECostCumulative ))()(()(


4.Implementation issues of IDSIC How to generate the fingerprint Where and How to put the fingerprint in

the packets Where to put the fingerprint checker

component in IDSIC


How to generate the fingerprint packet messages (m)

Information about IPs, the sequential number, the packet timestamp, and so on

Three approaches to generate the needed fingerprint HMAC (Hashed Message Authentication Code) HMAC using secret value signature


HMAC


HMAC using secret value


signature uses Public Key Infrastructure (PKI) the SAs should sign the packet messages wit

h their private keys and the DSIC uses SAs’ public keys to check the signature

No matter what approaches are used, it should satisfy the minimal resource requirement.


Where to put the fingerprint in the packets We suggest using the IP identification

field in IP header to store fingerprint This field is currently used to differentiate

IP fragments that belong to different packets

less than 0.25% of all Internet traffic is fragments

Savage et al. use this field in IP marking technique


IP Header

VER

4 bits

HLEN

4 bits

TOS

8 bits

TOTAL LENGTH

16 bits

Identification

16 bits

Flags

3 bits

Offset

13 bits

Time to live

8 bits

Protocol

8 bits

Header checksum

16 bits

Source IP address 32 bits

Destination IP address 32 bits

Options


How to put the fingerprint in the packets The IP identification field contains only

16 bits and the hackers’ forging probability is 2-16

We could set a threshold k reducing the hackers’ forging probability to (2-16)k


Where to put the fingerprint checker in IDSIC two choices to deploy the fingerprint

checker component

Fingerprint checker

Collection

Detection

Response

Before

Fingerprint checker

Collection

Detection

Response

After


Where to put the fingerprint checker in IDSIC (cont.)

before the detection component claims the fingerprint checker has to check

every receiving packet may spend lots of time for checking the fingerprint checker may lost some packets

under mounts of packets


Where to put the fingerprint checker in IDSIC (cont.)

after the detection component IDSIC would first determine whether an intrusio

n happens DSIC can work like DS and the fingerprint chec

ker only has to check the doubtful intrusion packets

if the SAs often perform the security tests, then the detection component may be busy dealing with these testing packets.


Where to put the fingerprint checker in IDSIC (cont.) The best deployment depends on

the frequency of security tests (fst)(from SAs)

the frequency of attacks (fa) (from Hackers)

the fingerprint checker examining time (tfc)

the DSIC dealing time (tDSIC)

For example, in rehearsal situation, fst is greater

than fa, thus it would be better to deploy the fingerprint checker before the detection component.


Conclusion We propose a new model, IDSIC, based

on the auditing point of view and propose the new requirements in IDSIC.

We prove the CumulativeCost in TIDS does not reach to minimal cost under the roles of SA exists.

1 idsic: a modeling of intrusion detection system with identification capability pei-te chen,...

Documents

security auditors

security issues

security tools

security auditing

security standards

scenarios of security

real security holes

response slide