Download - Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz
Behavior Intrusion Detection: EnhancedBehavior Intrusion Detection: EnhancedHakan EvecekRodolfo OrtizHakan EvecekRodolfo Ortiz
GOALSGOALS
1. Discuss the characteristics of a Behavior Intrusion Detection Systems
2. Monitor the timing for a sequence of DNS, ICMP, HTTP/HTTPS packets.
3. Provide the results. 4. Analyze the behavior of protocols when
firewall enabled/disabled.5. Present an approach to prioritize
suspicious packets.6. How to enhance Behavior IDS
WHATWHAT IS IDS?IS IDS?
IDS is concerned with the detection of hostile actions towards a computer system or network.
There are two types:
Anomaly detection (Behavior IDS)
Signature detection
OVERVIEW OF BIDSOVERVIEW OF BIDS
They can be described as an alarm for strange system behavior. Based on statistics.
AdvantagesThey don’t need to know the details of an attackDynamic, they are automatically updated
DisadvantagesMany false positives are generated during the sensor trainingThe training must be extensive so that the baseline is accurate
OVERVIEW OF BIDSOVERVIEW OF BIDS
Anomalies to be detected:
Traffic to unused portsNon standard service assigned to one standard port (port 80 set for peer sharing)Too much UDP/TCP trafficMore bytes coming to a HTTP server than outgoing bytes
Measure timing for DNS, ICMP and HTTP/HTTPSEstablish a baseline for different packet sequencesLabel packets outside the baseline for further analysis
IDSOuter(FC4) Intra1 (XP)
Internet
DLink SW2
DNSServer
WebServer
Intranet(10.0.0.0/24)
DLink SW1
Intra2(win2003)
DMZ(192.168.0.0/24)
HP5000 SW
Firewall
IDSInner(FC4)
Firewall
(FC4)
THE PROJECTTHE PROJECT
IDSSensor
DBIDS
Sensor
ICMPICMP
Intra1 (XP)
ICMP Request
ICMP Reply
Firewall
DC
B A
SERVERIDSInner
DNSDNS
DNSSERVER
DNS Request
DNS Reply
Firewall
IDSInner
DC
B A
Intra1 (XP)
HTTPHTTP
SYN
SYN ACK
Firewall
ACK
A
C
B
F
D
EGET
G
WEBSERVER
IDSInner
Intra1 (XP)
SERVER HELLOCERTIFICATESERVER KEY EXCHANGECERTIFICATE REQUESTSERVER HELLO DONE
HTTPSHTTPS
SYNSYN ACK
Firewall
ACKCLIENT HELLO
CERTIFICATECLIENT KEY EXCHANGECERTIFICATE VERIFYCHANGE CIPHER SPECFINISHED
APPLICATION DATAAPPLICATION DATA
IDSInner
WEBSERVER
Intra1 (XP)
Units are in seconds.
In a normal distribution, approximately 99.7% of the population will be in the interval defined by
works well for the upper bound, but the lower bound is defined by
Using the formula above, we get a confidence interval
3
DATA OBTAINEDDATA OBTAINED
1
3
FirewallBlue-enabledPink-disabled
Packets outside the range in a circle
3 times standard deviation
ICMPICMP
I CMP Firewall enabled Firewall disabled Mean 0.000119 0.000106
Standard Deviation 0.000023 0.000011 % inside the above interval 93.33% 96.67%
0.000075
0.000095
0.000115
0.000135
0.000155
0.000175
0.000195
0.000215
0.000235Time (sec)
Packet Sequence Number
FirewallBlue-enabledPink-disabled
Packets outside the range in a circle
3 times standard deviation
DNSDNS
DNS Firewall enabled Firewall disabled Mean 0.000352 0.000345
Standard Deviation 0.000038 0.000023 % inside the above interval 98.64% 100.00%
0.000285
0.000335
0.000385
0.000435
0.000485
0.000535
0.000585
0.000635
0.000685
0.000735Time (sec)
Packet Sequence Number
Firewall enabledBlue-HTTPPink-HTTPS
Packets outside the range in a circle
3 times standard deviation
HTTP vs. HTTPSHTTP vs. HTTPS
0.000000
0.005000
0.010000
0.015000
0.020000
Time (sec)
Packet Sequence Number
HTTP vs. HTTPSHTTP vs. HTTPS
Firewall disabledBlue-HTTPPink-HTTPS
Packets outside the range in a circle
3 times standard deviation
0.000000
0.001000
0.002000
0.003000
0.004000
0.005000
0.006000
0.007000
0.008000
0.009000Time (sec)
Packet Sequence Number
HTTP vs. HTTPSHTTP vs. HTTPS
Firewall enabled Firewall disabled HTTP HTTPS HTTP HTTPS
Mean 0.000582 0.004463 0.000561 0.004320 Standard Deviation 0.000064 0.001574 0.000033 0.000708 % inside the above
interval 98.48% 98.99% 98.99%
99.49%
Using the standard deviation, the intervals will be defined. Starting from 3 times for upper bound and 1 time for lower bound.
Label the suspicious packets and give them priorities based on their distance from the confidence interval.
Upper bound Lower bound
PROPOSED APPROACHPROPOSED APPROACH
3 1
Firewall enabled
ICMPICMP
6 times standard deviation (higher priority)
3 times (lower priority)
Confidence interval1 time (lower priority)
2 times (higher priority)
0.000000
0.000050
0.000100
0.000150
0.000200
0.000250
0.000300
0.000350Time (sec)
Packet Sequence Number
Firewall enabled
DNSDNS
6 times standard deviation (higher priority)
3 times (lower priority)
Confidence interval1 time (lower priority)
2 times (higher priority)0.000250
0.000300
0.000350
0.000400
0.000450
0.000500
0.000550
0.000600
0.000650
0.000700Time (sec)
Packet Sequence Number
Firewall enabled
HTTPHTTP
6 times standard deviation (higher priority)
3 times (lower priority) Confidence
interval 1 time (lower priority)
2 times (higher priority)0.000400
0.000500
0.000600
0.000700
0.000800
0.000900
0.001000
0.001100
0.001200
0.001300
0.001400Time (sec)
Packet Sequence Number
Firewall enabled
HTTPSHTTPS
6 times standard deviation (higher priority)
3 times (lower priority) Confidence
interval 1 time (lower priority)
2 times (higher priority)0.000000
0.005000
0.010000
0.015000
0.020000
0.025000Time (sec)
Packet Sequence Number
The suspicious packets are defined.
Then prioritize/label the packets based on the distance from the mean.
How do we know it’s an attack?
Define a behavior for each kind of attack, e.g. worms
SUSPICIOUS PACKETSSUSPICIOUS PACKETS
Based on “A behavioral approach to worm detection” [20]
Need to look for this pattern of information –behavioral signature- in the database.
WORMS BEHAVIORWORMS BEHAVIOR
CA
A:? -> C:D C:? -> E:DHost A and C and E are infected
D is port number
What to do with the packet? How to know if it is from an intruder?
What data do we need to store?
How to collect the data towards an automated process?
How can SNORT create the intervals automatically?
Implement the approach in SNORT’s source code
Analyzing other protocols
FUTURE WORKFUTURE WORK
Analyzing other scenarios like an internet server instead of a local server
Analyze wireless communication
DNSSecure
Behavioral signatures for other attacks
FUTURE WORKFUTURE WORK
Timing is important and we also need to look at other variables, like performance before making a decision. This decreases false positives.
The intervals work in the studied protocols, results may change for other protocols.
Intervals need to be tested using attacks like DDoS, worms, etc.
HTTP and HTTPS graphs are different because more information is exchanged and timing varies.
CONCLUSIONCONCLUSION
Network Intrusion Detection. Stephen Northcutt, Judy Novak. New Riders 2003
Defending yourself: The role of Intrusion Detection Systems. Jon McHugh, Alan Christie and
Julia Allen
Design of an Autonomous Anti-DdoS Network (A2D2). Angela Cearns Thesis, 2002
Intrusion detection with SNORT. Rafeeq Ur Rehman. Prentice Hall 2003
REFERENCESREFERENCES
QUESTIONS?QUESTIONS?