1 idsic: a modeling of intrusion detection system with identification capability pei-te chen,...
TRANSCRIPT
1
IDSIC: A Modeling of Intrusion Detection System with
Identification Capability
Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih
Cryptology & Network Security Lab.
Electrical Engineering Department
National Cheng Kung University
2Cryptology & Network Security Lab.
Outline
1. Introduction
2. Traditional IDS model
3. A New model: IDSIC
4. Implementation issues of IDSIC
5. Conclusion
3Cryptology & Network Security Lab.
1.Introduction Three fundamental functional components of
intrusion detection system (IDS) Collection
collects the different sources of information Detection
analyze the information sources Response
notifies the system managers when or where an intrusion happens
Active measures & Passive measures
4Cryptology & Network Security Lab.
1.Introduction (cont.) In some security standards, e.g., ISO 17799,
it suggests that there should be an inner auditor periodically checks the security issues in the enterprise networks
In order to discover the real security holes or vulnerabilities, the security tools using by the auditors are the same tools used by the outside hackers
5Cryptology & Network Security Lab.
1.Introduction (cont.) These tests can be separated into two
situations Rehearsal
the auditors notify the system managers when the security auditing starts and how the security tests go on
both the system managers and the auditors know scenarios of security tests, the testing results in this situation are very little
6Cryptology & Network Security Lab.
1.Introduction (cont.) auditors imitate hackers’ behaviors when
performing security test The system managers do not know when,
where, and how the tests will take place in advance
active response measure would enable self-protecting ability
passive response measure will alert much alarms notifying the system managers to cope with
7Cryptology & Network Security Lab.
1.Introduction (cont.) Lee et al. propose a cost-sensitive mod
el for IDSs by using some major cost factors, such as damage cost, response cost, operational cost, etc, to evaluate the total cost of IDSs
IDSs should minimize these costs
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2, 2002.
8Cryptology & Network Security Lab.
Motivation The traditional IDSs (TIDSs) do not con
sider the behavior of the security auditors.
We are motived to study whether the IDSs’ cost is minimal in the top-secret enterprise network with security auditors.
9Cryptology & Network Security Lab.
2.Traditional IDS model Traditional IDSs (TIDSs) requirements Roles and costs in TIDSs
10Cryptology & Network Security Lab.
TIDSs requirements Detection of known attacks
should have the ability to determine the malicious attackers
Real-time/near real-time analysis analyze information sources gathered by the IDS sensor
as soon as possible Minimal resource
use the minimal resource in the systems when monitoring High accuracy
make sure the detection is correct and lower the false alarms
J. Cannady. An Adaptive Neural Network Approach to Intrusion Detection and Response. Ph.D Thesis, Nova Southeastern University, 2000.
11Cryptology & Network Security Lab.
The roles in TIDSs Hackers
People who attempt to gain unauthorized access to a computer system. These people are often malicious and have many tools for breaking into a system.
System Manager (SM) the person who takes charge to minimize the use
of excess, network management, and system maintenance costs. If a system under some attacks results IDSs alarms, they have to make efforts to find out where the problem is.
12Cryptology & Network Security Lab.
The roles in TIDSs (cont.) Detection System (DS)
the system that monitor the events occurring in protected hosts or networks and analyze them for signs of intrusions.
13Cryptology & Network Security Lab.
The roles and relationships in TIDSs
Servers
Internet
RouterIntranet
SMs
Hackers
Attack
Collection
Detection
Response
DS
14Cryptology & Network Security Lab.
The costs of TIDSs damage cost (DCost)
the cost of damage caused by hackers when IDSs do not work appropriately
response cost (RCost) the costs of actions when response components g
enerate alarms operational cost (OpCost)
the cost of processing and analyzing the activities of events
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2, 2002.
15Cryptology & Network Security Lab.
The costs of TIDSs (cont.) False Negative cost is the cost of not
detecting an attack, but an attack really happened.
False Positive cost occurs when normal behavior is misidentified as the attack .
True Positive cost means the detection cost when attacks really happen.
True Negative is incurred when an IDS correctly decides there are no attacks.
16Cryptology & Network Security Lab.
S i t u a t i o n C o n s e q u e n t i a l C o s t
( C C o s t ) C o n d i t i o n
F a l s e N e g a t i v e ,
F N )( eDCost
)( eRCost i f RCost(e)DCost(e) C A S E 1 F a l s e P o s i t i v e ,
F P 0 i f RCost(e)DCost(e) C A S E 2
)()( 1 eDCosteRCost ,
10 1 i f RCost(e)DCost(e) C A S E 1 T r u e P o s i t i v e ,
T P )( eDCost i f RCost(e)DCost(e) C A S E 2
T r u e N e g a t i v e ,
T N 0
The costs of TIDSs (cont.)
1: the function of the events’ progress
17Cryptology & Network Security Lab.
The costs of TIDSs (cont.)
Ee
eOpCosteCCostECostCumulative ))()(()(
Hackersby caused set event
Hackersby caused set event
:E However
SA
H
E
E
set) event (theEe
18Cryptology & Network Security Lab.
3.A New model: IDSIC Roles and components in IDSIC New Requirements in IDSIC Cost analysis in IDSIC
19Cryptology & Network Security Lab.
Roles in IDSIC Security Auditor (SA)
A person appointed and authorized to audit whether the security equipments work regularly or not by using the vulnerability testing tools.
One of security auditors’ main works is to check the security holes or vulnerabilities in the system.
Note: traditional IDSs have no abilities to distinguish the security auditors and hackers.
20Cryptology & Network Security Lab.
Roles in IDSIC (cont.) Detection System with Identification Capabilit
y (DSIC) One type of DS that runs the same function of DS.
However, it has an extra functionality to distinguish between the roles of hackers and SAs.
Fingerprint some secret information is used to let DSIC disting
uish the difference between hackers and SAs
21Cryptology & Network Security Lab.
Components in IDSIC In IDSIC, we include the basic components s
uch that collection, detection, and response components in TIDSs
The fingerprint adder use fingerprint generation algorithms calculating a
nd adding the fingerprint into the packets The fingerprint checker
include some validation algorithms that help DSIC to differentiate hackers’ attack and SAs’ tests from packets
22Cryptology & Network Security Lab.
The roles and components in IDSIC
Servers
Internet
RouterIntranet
SMs
Hackers
Attack
SAs
FingerprintAdder
Collection
Detection
Response
DSIC
Fingerprintchecker
23Cryptology & Network Security Lab.
New Requirements in IDSIC Generating fingerprint ability
SAs must have the ability to calculate the fingerprint
The needed power for calculating fingerprint must be as less as possible
Validity ability DSIC needs to have the validity ability to determin
e if any fingerprint in the packets this ability of determination must be as fast as pos
sible
24Cryptology & Network Security Lab.
New Requirements in IDSIC (cont.) Security
Hackers cannot generate a fingerprint without the SAs’ secret
The probability of forging a fingerprint is as small as possible
25Cryptology & Network Security Lab.
Cost analysis in IDSIC The damage cost (DCost) could be divided into
two parts HDCost(e) means the damage cost caused by hack
ers that may harm to the systems SDCost(e) is the amount of security testing cost that
may damage to the systems caused by SAs HDCost(e) >> SDCost(e)
the response cost (RCost) will also be separated into two parts HRCost(e) and SRCost(e) HRCost(e) = SRCost(e)
26Cryptology & Network Security Lab.
Cost analysis in IDSIC (cont.)
False Negative (FNIC)
False Positive (FPIC)
10 ),()( 22 eSDCosteHDCostFNIC
)eRCost()eif DCost(
)eRCost()eif DCost()eRCost(
FPIC
0
CASE 1
CASE 2
2: the function of the events’ progress
Therefore, FNIC < FN
Therefore, FPIC FP
27Cryptology & Network Security Lab.
Cost analysis in IDSIC (cont.)
True Positive (TPIC)
True Negative (TNIC) =0
HRCost(e)
SDCost(e))ε(e)if (HDCost
HRCost(e)
SDCost(e))ε(e)if (HDCost
SDCost(e)εHDCost(e)
,εε
,SDCost(e))ε(HDCost(e)+ εHRCost(e)
TPIC
3
3
3
31
31
10 CASE 1
CASE 2
3: the function of the events’ progress
Therefore, TPIC TP
28Cryptology & Network Security Lab.
S i t u a t i o n C C o s t i n T I D S I C C o s t i n I D S I C C o n d i t i o n
F N o r F N I C )( eDCost 10
),()(
2
2
eSDCosteHDCost
)( eRCost )eRCost( C A S E 1 F P o r F P I C
0 0 C A S E 2
10
),()(
1
1
eDCosteRCost
10
,
31
31
,
SDCost(e))(HDCost(e)
+ HRCost(e) C A S E 1
T P o r T P I C
)( eDCost )()( 3 eSDCosteHDCost C A S E 2
T N o r T N I C 0 0
CCost v.s. ICCost
29Cryptology & Network Security Lab.
Cost analysis in IDSIC (cont.)
OpCost(e) is similar in TIDS and IDSIC CCost(e) in TIDS is greater than ICCost
(e) in IDSIC IDSIC could have smaller CumulativeCo
st(E) than TIDS.
Ee
eOpCosteICCostECostCumulative ))()(()(
30Cryptology & Network Security Lab.
4.Implementation issues of IDSIC How to generate the fingerprint Where and How to put the fingerprint in
the packets Where to put the fingerprint checker
component in IDSIC
31Cryptology & Network Security Lab.
How to generate the fingerprint packet messages (m)
Information about IPs, the sequential number, the packet timestamp, and so on
Three approaches to generate the needed fingerprint HMAC (Hashed Message Authentication Code) HMAC using secret value signature
32Cryptology & Network Security Lab.
HMAC
33Cryptology & Network Security Lab.
HMAC using secret value
34Cryptology & Network Security Lab.
signature uses Public Key Infrastructure (PKI) the SAs should sign the packet messages wit
h their private keys and the DSIC uses SAs’ public keys to check the signature
No matter what approaches are used, it should satisfy the minimal resource requirement.
35Cryptology & Network Security Lab.
Where to put the fingerprint in the packets We suggest using the IP identification
field in IP header to store fingerprint This field is currently used to differentiate
IP fragments that belong to different packets
less than 0.25% of all Internet traffic is fragments
Savage et al. use this field in IP marking technique
36Cryptology & Network Security Lab.
IP Header
VER
4 bits
HLEN
4 bits
TOS
8 bits
TOTAL LENGTH
16 bits
Identification
16 bits
Flags
3 bits
Offset
13 bits
Time to live
8 bits
Protocol
8 bits
Header checksum
16 bits
Source IP address 32 bits
Destination IP address 32 bits
Options
37Cryptology & Network Security Lab.
How to put the fingerprint in the packets The IP identification field contains only
16 bits and the hackers’ forging probability is 2-16
We could set a threshold k reducing the hackers’ forging probability to (2-16)k
38Cryptology & Network Security Lab.
Where to put the fingerprint checker in IDSIC two choices to deploy the fingerprint
checker component
Fingerprint checker
Collection
Detection
Response
Before
Fingerprint checker
Collection
Detection
Response
After
39Cryptology & Network Security Lab.
Where to put the fingerprint checker in IDSIC (cont.)
before the detection component claims the fingerprint checker has to check
every receiving packet may spend lots of time for checking the fingerprint checker may lost some packets
under mounts of packets
40Cryptology & Network Security Lab.
Where to put the fingerprint checker in IDSIC (cont.)
after the detection component IDSIC would first determine whether an intrusio
n happens DSIC can work like DS and the fingerprint chec
ker only has to check the doubtful intrusion packets
if the SAs often perform the security tests, then the detection component may be busy dealing with these testing packets.
41Cryptology & Network Security Lab.
Where to put the fingerprint checker in IDSIC (cont.) The best deployment depends on
the frequency of security tests (fst)(from SAs)
the frequency of attacks (fa) (from Hackers)
the fingerprint checker examining time (tfc)
the DSIC dealing time (tDSIC)
For example, in rehearsal situation, fst is greater
than fa, thus it would be better to deploy the fingerprint checker before the detection component.
42Cryptology & Network Security Lab.
Conclusion We propose a new model, IDSIC, based
on the auditing point of view and propose the new requirements in IDSIC.
We prove the CumulativeCost in TIDS does not reach to minimal cost under the roles of SA exists.