SWAWLAMBI SIKSHAN SANTHA’S

SUSHGANGA POLYTECHNIC, NAIGAON: WANI

Micro-Project Report
On
“ATTACK DETECTION SYSTEM”
Presented By
Enrollment Number. Name
2111870 MUDDASSIR SHEIKH
2211870 MIHIR JHA
2211870 PRATHAMESH URKUDE
2211870 ADIB HAQUE
2111870 PRANJALI GRIATKAR

Program: Diploma in Computer Engineering

Class: Third Year (Semester 6)
Course: Network and Information Security (Subject Code: 22620)

Guided By
Prof. DIKSHA HIWARE

Computer Engineering Department

[2023-2024]
 SWAWLAMBI SIKSHAN SANTHA’S
SUSHGANGA POLYTECHNIC, NAIGAON: WANI

This is to certify that Certificate

We, the students of
Of Third Year (Semester 6) have successfully completed the Micro-Project work
entitled “Attack detection System” in the Network and Information Security of
Program Diploma in Computer Engineering of Maharashtra State of Technical
Education, Mumbai, Maharashtra State.

Miss Diksha Hiwre Mrs. Pushpa Rani

PROF. Shamali Kadu
Guide Head of Department PRINCIPAL

Date:
Place: Wani
 ACKNOWLEDGEMENT

It is great pleasure for us to acknowledge the assistance & contribution of the number of
individuals who helped us in presenting the Project “Attack detection System”. We have
successfully completed our project with the handful support of Staff, Project Partners,
External Resources, etc. We acknowledge all of them & them for their support.

Special thanks to project guide Miss Diksha Hiwre who gave us the valuable guidelines for the
seminar & project work. We whole heartedly thank all the staff members & every possible
person who possibly helped us in this project.

We would like to give away gratitude to Prof. Shamali Kadu Head of Computer Engg.
Department for prior support in terms of morality, technical aspects & relative guidance
required for the “Attack detection System” which helped us get better grip & quality in every
aspect of project .

Our sincere thanks to Mrs. Pushpa Rani, Principal, Sushganga Polytechnic, Wani; for providing
us an opportunity to present & express the ideas of our project.

Thanking You ,

Students
Table of Contents

Summary i

Acknowledgements ii

Declaration iii

1 Introduction 1
1.1 Overview 1
1.2 Rationale 1
1.3 Problem Definition 2
1.4 Results 3
1.5 The Concept of the Attack Detection System (ADS) 3
1.6 Outline of the Thesis 5
1.7 Summary 6

2 Overview of Attack Detection 7

2.1 Introduction 7
2.2 Introduction to Threats and Attacks 7
2.2.1 Types of Threats 8
2.2.2 Attack Categories 10
2.2.3 Methods of Attacks 11
2.3 The Concept of Attack Detection 12
2.4 Attack Detection Techniques 14
2.4.1 User Profiles 14
2.4.2 Neural Networks 15
2.4.3 Expert Systems 16
2.4.4 Conclusion 17
2.5 A Survey of Existing Attack Detection Systems 17
2.5.1 The Sun C2 Security Auditing Package 18
Summary

Attack Detection Systems for secure computer systems are an approach to enhancing
the security of a computer system. In the past, they aimed at only providing a trail
which could be useful in determining how a system was breached and who was
responsible for this breach. More recently, attack detection systems have become
automated tools which analyse audit data captured from a system, detect attacks as they
take place and take measures to prevent further damage to the target system.

The Attack Detection System (ADS) discussed in this thesis is a real-time attack
detection system which allocates points to users who are attempting to attack the target
system, detects attacks by examining the number of points each user has been given,
and takes countermeasures according to this number of points.

Within this thesis, the development of the ADS is presented. The thesis begins with an
overview and survey of the attack detection subject area. This is followed by the
introduction and analysis of the target system service and the user interface
requirements. These requirements are used as basis for the functional design of the
ADS. Subsequently, the low level design is discussed. Based on this design, the
implementation of the ADS is described. Finally, the system is evaluated and criticised
against the requirements stated. In the light of this critique, suggestions and possible
improvements of the ADS are discussed.

i
1 Introduction

1.1 Overview

This thesis describes the design and implementation of an attack detection system for
secure computer systems, called the Attack Detection System (ADS). In comparison
with other attack detection systems (see Chapter 2), the ADS described herein is a real-
time system which provides flexibility in order to be more effective in detecting attacks.

This chapter introduces the work of the thesis. It gives the rationale for the work carried
out and defines the problem which was solved, as well as the most significant results of
this work. The overall concept of the ADS is presented and finally an outline of the
thesis is given.

1.2 Rationale

In the past, IT equipment consisted solely of stand-alone systems, whereas in recent

years the trend has been towards computer networks and distributed systems. The
spread of distributed information technology has increased the number of opportunities
for crime and fraud in computer systems. Despite the fact that computer systems are
typically protected by a number of security mechanisms[1], such as encryption[2],
digital signature[3], access control[4], and passwords[5], attacks continue to occur
[6,7,8]. In addition, it seems infeasible to close all the known security loopholes of
today's systems. No combination of technologies can prevent legitimate users from
abusing their authority in a system[9]. Thus, new lines of defence are required to ensure
safe operation of computer systems as well as data protection.

In the last few years, many organisations have adopted the use of auditing systems.
Auditing systems capture all events that occur on a computer system, and keep logs of
the audit data in special files for security analysis. In the beginning, the analysis of log
files was carried out by the security officer of the system, who had to search all the

1
printed audit data to detect security violations. The large volume of data made this
difficult. The need for tools for automated security analysis of audit data became
evident. Such a system is called an attack (or intrusion) detection system and must have
the following goals:

 to provide a trail of computer system events

 to determine how the system was breached

 to determine who was responsible for a breach

 to take action to prevent further breaches

In conclusion, there is a need for an attack detection system that can provide protection
to a computer system by detecting security violations in real-time. Therefore, the
problem to be solved was defined as stated in the next section.

1.3 Problem Definition

The overall goal of the work presented is to provide a real-time attack detection system
which will detect attacks on a computer system and will instruct the computer system to
take action to prevent further security violations.

The problem to be solved was the design and implementation of a real-time attack
detection system for secure computer systems which could:

 monitor all events that occur on a computer system

 log the events

 analyse each event in order to determine whether it is of potential relevance

from a security point of view

 store the security relevant events separately

 examine security relevant events against rules stored in a rule base

2
  decide (in real-time) if an attack is taking place

 send a signal to inform the security officer of a system when an attack occurs

 take action to prevent further attacks

These requirements define the problem that was solved by the implementation of the
Attack Detection System. The next section presents the essential results of this
implementation.

1.4 Results

An attack detection system for secure computer systems has been implemented, called
the Attack Detection System (ADS). This system is a real-time rule-based system which
provides an audit trail for all computer system events, detects attacks by analysing audit
data, and takes measures to prevent additional attacks when an attack occurs.

This attack detection system uses a novel method for detecting attacks, the point
allocation method (see Section 4.3). According to this method, the ADS allocates points
to users who are attempting to attack a computer system. Based on these points, the
ADS takes countermeasures to protect the computer system.

Furthermore, the Attack Detection System is modifiable. This allows the administrator
of the attack detection system to improve its effectiveness. The concept of the Attack
Detection System is described in the next section.

1.5 The Concept of the Attack Detection System (ADS)

The Attack Detection System (ADS) which is the subject of this thesis aims at
providing enhanced security in a computer system called the target system. The ADS
carries out the main functions described below in order to fulfil its goal. Figure 1.1
depicts these functions and the inter-function communication within the ADS.

3
 Event Collection

The Attack Detection System monitors all target system activities called events,
and logs these events in a data base called Event Data Base (EDB).
Furthermore, it examines each event in order to filter the events which are of
potential relevance from a security point of view.

Figure 1.1: The Main Functions of the Attack Detection System

 Attack Detection

Analysis of the audit records and detection of attacks in real-time. The ADS
applies a rule-based technique to detect attacks, which implies the use of a rule

4
 base called Rule Base (RB). When the ADS detects that a user is acting
suspiciously, it counteracts by automatically deciding upon an action and
instructing the target system to take this action.

 Attack Detection System Access

The ADS informs the Security Officer (SO) of the target system about attacks
detected and suspicious users. It also gives to the SO a picture of all events that
have occurred on the target system.

 Rule Base Access

This function allows the administrator of the ADS to modify the Rule Base in
order to adjust the ADS to the target system.

 Event Data Base Maintenance

The ADS provides this special function to maintain the Event Data Base (EDB)
which is the collection of the audit data files. In particular, the purpose of this
function is to retrieve and store records in the EDB.

 Rule Base Maintenance

The ADS provides also a function to maintain the Rule Base (RB) which
consists of rules. In particular, this function retrieves, stores, updates, and
deletes records from the RB.

1.6 Outline of the Thesis

There are a total of seven chapters in this thesis.

The first chapter has outlined the attack detection area and has described the problem to
be solved, the most significant results of the work carried out and a brief description of
the Attack Detection System.

5
Chapter 2 introduces threats and attacks, overviews the attack detection area, describes
the most commonly used attack detection techniques and reviews three existing attack
detection systems.

Chapter 3 presents the target system requirements which have been derived from the
study carried out in Chapter 2. These requirements are categorised into the target system
service requirements and the user interface requirements.

Chapter 4 states the functional specification of the Attack Detection System according
to the target system requirements, and presents the high level design of the ADS.

Chapter 5 presents the low level design of the ADS. This presentation includes detailed
descriptions of the design of each module.

Chapter 6 presents the ADS implementation according to the design. This includes
justifications of implementation decisions, explanations of how the designed modules
have been implemented, and examples of the ADS testing carried out.

Chapter 7 evaluates and criticises the whole work discussing improvements.

1.7 Summary

The widespread use of computer networks and distributed systems in computing (e.g. in
Health Care Establishments, business, industry) as well as the lack of sufficient
protection by today's security mechanisms highlight the need for attack detection
systems. The Attack Detection System (ADS) presented in this thesis is a rule-based
system which provides real-time attack detection. It uses a method of points allocation
in order to categorise users according to their suspicion, and takes countermeasures to
protect the target system from further attacks. The following chapters show how this
system was developed by presenting the requirements, functional specification, design,
implementation and testing of the ADS.

6
2 Overview of Attack Detection

2.1 Introduction

The growing spread of computer networks and distributed systems has created a number
of threats to the security of these systems. The main source of these threats is users who
use methods of attack to damage a system. Due to the fact that the use of security
mechanisms has proved insufficient to protect a computer system from such threats, the
use of an attack detection system seems to be an advanced solution for many
organisations and institutions. Such a system should be able to log all events of a
computer system, and analyse them in order to detect attacks.

This chapter gives an overview of the attack detection area by discussing issues of
security and attack detection. Specifically, it introduces the notion of threats and attacks
giving descriptions of threat sources, types of threats, attack categories, and methods of
attack.

This chapter then presents the concept of attack detection, and three techniques that
could be used for attack detection: user profiles[9], neural networks[10], and expert
systems[11,12].

Finally, a review of existing attack detection systems includes the presentation of three
attack detection systems: the Sun C2 Security Auditing Package[13], the Intrusion
Detection Expert System[14] and the Network Security Monitor[15].

2.2 Introduction to Threats and Attacks

A threat is a potential activity with expected or unexpected harmful results. The

problems caused by these results may or may not be resolved. More specifically, a
threat is a possibility of an attack, and an attack is an attempt (by an attacker) to damage

7
or in some way negatively affect the working of a computer system, or to damage the
interest of the organisation owning the system.

The source of a threat might be one of three factors: physical, human, and technical, as
they are described below:

 physical factor

The physical factor includes natural disasters such as fire, storm and water
damage.

 human factor

The human factor is the main source of computer breaches and includes
unauthorised users who wish to damage a system and authorised users of a
system who misuse the system either deliberately or accidentally.

 technical factor

The technical factor is the equipment of a system which might fail to carry out
its functions (equipment failure) or might carry them out in an inappropriate way
(equipment malfunction).

There are different types of threats that may endanger a computer system. Short
descriptions of the types of threats to be addressed in a computer network follow in the
next section.

2.2.1 Types of Threats

In general terms, the target of a threat is the computer system. In particular, the assets of
a computer system, i.e. the hardware, the software, the data, etc., are subject to threats.
The following list of types of threats describes the results to the above assets that might
become apparent when threats have been realised[3,5,16].

8
 Disclosure of Information

Computer networks store, process and convey large amounts of information,

some of it very valuable to organisations. Disclosure of such information may
cause severe problems which harm the overall activity of an organisation.

 Corruption of Information

A user who has succeeded in reading unauthorised information on a computer

may wish to alter it for his own purposes. Corrupted information may be less
valuable or completely worthless. The degree of damage may be higher in this
case than in the case of disclosure only.

 Unauthorised use of Resources

Unauthorised use of the resources (CPU, disk, I/O devices, etc.) of a system may
lead to destruction, alteration or loss of integrity of the resources, and lack of
availability of the resources for authorised activities.

 Misuse of Resources

The intentional or accidental misuse of the system resources by authorised users

may lead to corruption, destruction, disclosure, or loss of data or resources.

 Unauthorised Information Flow

The major function of a computer network is the transmission of information

through the network. Transmission of information must be limited to allow
information flow only between authorised users and end-systems. The
unauthorised flow of information is a serious threat.

 Denial of Service

Denial of service includes the failure of a system to carry out one or more of its
functions. The threat of denial of service in the computer network of an
organisation which is dependant to a great degree on IT for its operations is
potentially catastrophic. For this reason, this threat must be considered
thoroughly as part of any security policy.

9
Apart from this list of threats there is also another threat, the Repudiation of Information
Flow. The repudiation of information flow involves denial of transmission or receipt of
messages. Although this is a considerable threat in a networked environment which
conveys valuable information, it does not actually endanger a computer system.
Repudiation is a threat by one user against another, not a threat to the system as a
whole, and thus why it is not included in the above list.

2.2.2 Attack Categories

When a threat has been realised an attack is said to take place. Attacks are categorised
into accidental and intentional attacks according to the attacker's intentions and into
passive and active attacks according to their effects on the system. Descriptions of these
attack categories follow[3]:

 Accidental Attacks

Accidental attacks are those that occur with no premeditated intent. Such attacks
occur as a result of system malfunctions, operational blunders, software bugs,
and user mistakes.

 Intentional Attacks

Intentional attacks are those that occur with premeditated intent, and may range
from casual data and system examination using easily available monitoring tools
to sophisticated attacks using special system knowledge.

 Passive Attacks

Passive attacks refer to unauthorised disclosure of information without

modification. For example, the use of passive wiretapping[17] to observe
information being transmitted over a communication line is a passive attack.

 Active Attacks

Active attacks include the alteration of information contained in a system and

changes to the state or the operation of a system. For example, a malicious
modification to a file by an unauthorised user is an active attack.

10
2.2.3 Methods of Attacks

Some methods of attack that could be used against a computer network are:

 Impersonating/Masquerading/Mimicking: An unauthorised user gains access to

a system by posing as an authorised user. Example: using another person's
password to log on [17].

 Active Wiretapping: Connection of an unauthorised device to a communication

link for the purpose of obtaining access to and modifying data[18]. This method
of attack may include the following attacks categorised according to the method
of modifying data:

 False Messages: The attacker generates false messages or control

signals[17].

 Protocol Control Information Modification: A user modifies the protocol

control information in the message frames in order to send them to a
wrong destination or to a destination of his preference.

 Bogus Frame Insert: A user inserts bogus frames into the message
stream either synthesised or saved from a previous connection.

 Data Portion Modification: A user modifies the data portion of a

message to achieve his own purposes.

 Sequencing Information Modification: A user attacks the ordering of a

message by modifying the sequencing information in the protocol frame
control portion.

 Passive Wiretapping: Monitoring or recording of data while the data is being

transmitted over a communication link[17]. This method is also called
eavesdropping.

 Traffic Flow Analysis: Examining the flow of messages across a network. The
frequency, length and addresses (both source and destination) of messages are
analysed.

11
  Replay: "Playing back" a recording of a previous legitimate message.

 Message Deletion: A user discards messages passing on a communication link.

 Denial of sending a message or its contents: A user denies the fact of sending a
message or its original content.

 Denial of receiving a message or its contents: A user denies the fact of receiving
a message or its original content.

 Jamming: A user misuses the resources of the system by swamping a

communication line with bogus or dummy traffic so that real messages may not
be transmitted.

2.3 The Concept of Attack Detection

The attack detection systems are an approach to enhancing the security of a computer
system. These systems are based on the auditing of events that take place on a computer
system. They aim to provide a trail which could be useful in determining how the
system was breached and who was responsible for this breach. However, they do not
prevent breaches[3].

Essentially, the attack detection area comprises the following four aspects: the event
monitoring, the event analysis, the attack detection and the counteraction aspect.

 Event Monitoring

The event monitoring includes the capture of the events of a computer system by
a specific module called an audit trail, and the recording and storing of these
events in special files in a predetermined format. Each record of those files
represents an event called an audit record.

 Event Analysis

The event analysis covers the division between the security relevant and security
irrelevant events. Examples of such security-relevant events are unsuccessful
attempts to read, write, or delete a file.

12
  Attack Detection

The attack detection forms the central part of the system including the
characterisation of the suspicious security relevant events as attacks.

 Counteraction

The main responsibility of the automatic counteraction is to decide upon and to

take the proper action when an attack is detected. Actions may be of three kinds:
immediate, temporary and long term actions, as they are described below[3]:

 An example of an immediate action may be to enforce an immediate

abort of operations.

 An example of a temporary action is to disable a terminal for one day.

 An example of a long term actions may be the introduction of an entity

into a "black list" denying him any further access to the system.

Computer system audit trails are analysed with the use of automated tools. These
automated tools first attempt to isolate security relevant events, so that they can reduce
the large volume of audit data. Subsequently, they examine the security relevant audit
records to detect actual attacks. This examination may take place after the attack or in
real-time. The following types of audit data examination are relevant for security
purposes[9]:

 in-depth off-line (after-the-fact) examination of audit data

 real-time testing of audit data, so that an immediate action is possible

 subsequent examination of the audit data for damage assessment

The examination of audit trails involves the analysis of the users activities of a
computer system. Anderson[19] has attempted a categorisation of users upon whom
attention should be focused in an audit trail examination, as follows:

 external penetrators: unauthorised users who wish to damage a system, or the

interest of the organisation owning a system.

13
  internal penetrators: authorised users of a system who are not authorised for the
use of resources accessed. This category also includes masqueraders who
operate under another user's identity, and clandestine users who evade auditing
and access controls.

 misfeasors: authorised users of a computer system and of the resources they

access, but who misuse their privileges

The detection of attacks carried out by the user categories described above requires the
use of attack detection techniques. A survey of the existing techniques is presented in
the next section.

2.4 Attack Detection Techniques

The design and implementation of an attack detection system requires the use of
appropriate techniques which will achieve the goals of such a project. In recent years,
many research groups and institutions have developed and experimented with different
methods of detecting attacks. Three attack detection techniques have gained favour:
user profiles[9], neural networks[10], and expert systems[11,12].

2.4.1 User Profiles

The user profiles technique aims at distinguishing users from one another. This
approach is based on user patterns of computer system usage, and on the fact that user
behaviour characteristics may be used to discriminate between normal user behaviour
and departures from it.

In particular, a user's pattern consists of a number of measures, such as file usage,

compiler usage, day of use, etc., which are profiled for the user. A statistical model
processes the data collected for each user for each measure, thus this technique is
termed a statistical technique. These statistics form a user's historical profile. As the
behaviour of a user changes slightly, his profile is updated to match his new behaviour.
According to this approach, an attack detection system compares the profiles of users
against their behaviour. If a significant departure from the historical profile appears,
then the system becomes suspicious of the user.

14
In addition to the measures described above, the user profiles technique can be used to
examine other user characteristics related to user's keyboard use. A user's keyboard
activity includes measures like typing speed, typing errors, etc.

2.4.2 Neural Networks

Due to the fact that a user's behaviour is very complex, and observation and detection of
departures from the normal activity of a user is quite difficult, the technique described
in the previous subsection may cause a significant number of false alarms. These alarms
can mislead the statistical algorithms used for this detection approach, so that
undetected attacks can pass through a system. Neural networks have been used in recent
years in an attempt to progressively replace the user profiles technique[20]. Laurene
Fausett[21] defines neural networks as follows:

Neural networks are information processing systems inspired by

biological neural systems but not limited to modelling such systems.
They consist of many simple processing elements joined by weighted
connection paths. A neural net produces an output signal in response to
an input pattern; the output is determined by the values of the weights.

One of the areas in which neural networks are currently being applied is the general area
of pattern recognition[22]. The user profiles technique described in the previous section
falls into this general area. Teresa Lunt[10] has attempted a description of the problems
that neural networks seem to solve if used in replacement to the user profiles technique:

 The need for accurate statistical distributions

In some cases statistical methods require the use of assumptions about the
underlying distributions of user behaviour, such as a Gaussian distribution of
deviations from a norm. Invalid assumptions may lead to a high false-alarm rate.
Neural networks do not require such assumptions, thus a neural network
approach can increase the reliability of an attack detection system.

 Difficulty in evaluating detection measures

The selection of a set of intrusion-detection measures as well as the evaluation

of their effectiveness for characterising user behaviour has been proved quite

15
 difficult[9]. Regarding the evaluation process, a measure may seem to be
ineffective when considered for all users, but may be useful or totally effective
for some particular user. A neural network can serve as a tool which helps the
evaluation process of various sets of measures.

 High cost of algorithm development

The revising of old statistical algorithms and building new software is a time
consuming procedure. In addition, it is costly to reconstruct existing statistical
algorithms and to modify the software which implements them. Neural network
implementation has proved easier to maintain and adopt[9].

 Difficulty in scaling

The use of a statistical approach causes new problems when the number of users
to be monitored is large, e.g. thousands of users. Therefore, the need for
methods which will be used to assign individuals to groups on the basis of
similarity of behaviour, becomes apparent. Such a method results in the need to
maintain group profiles instead of a profile for each user. Although there are a
number of characteristics that could assist this grouping, such as job title, shift,
responsibilities, etc., this approach may prove inadequate. A neural network
could be used to classify users according to their actual observed behaviour, thus
making group monitoring more effective.

Although the neural network technique seems to be promising for intrusion detection
systems, Lunt believes that a neural network approach cannot simply replace a
statistical-based approach[9].

2.4.3 Expert Systems

The expert systems technique uses traditional expert system technology which simply
includes the codification of the knowledge of experts in intrusion detection into the
form of rules. These rules are maintained into a rule base and are used to examine the
audit data for suspicious activity.

Several projects have adopted the expert system technique to fill some of the gaps in the
statistical-based approach. In the Intrusion Detection Expert System (IDES)[14]

16
approach described in Section 2.5.2, the rule base contains encoded information about
known system vulnerabilities, reported attack scenarios and intuition about suspicious
behaviour. These rules do not depend on past user or system behaviour. An example of
such a rule might be that more than three unsuccessful login attempts for the same user
identity within five minutes is to be treated as a penetration activity.

Although the expert system technique can be used to fill some of the gaps in the
statistical-based technique, it also has two limitations[9] as described below:

 The rules have information about known vulnerabilities and attacks, but not
about unknown ones.

 An activity that does not trigger a rule will pass undetected.

In summary, an expert system approach can be proved efficient in detecting intrusion

activities on a computer system, only if the rule base is comprehensive enough to detect
a large number of attempted attacks.

2.4.4 Conclusion

The presentation of attack detection techniques shows that none of these techniques
could be sufficient alone, because each addresses a certain user category and/or some of
the methods of attack[9]. A successful intrusion detection system should incorporate a
number of these techniques.

Although the Attack Detection System (ADS) described in the remainder chapters uses
only the expert system technique, the results showed that its successfulness is
satisfactory (see Chapter 7). On the other hand the ADS is a flexible system which
allows the incorporation of other techniques in the future. This is facilitated by the use
of a method of points allocation described in Section 4.3.

2.5 A Survey of Existing Attack Detection Systems

This section is divided into three subsections. The first subsection presents a security
auditing package which has been implemented to assist the security officer's job. The
second one gives a description of the functionality of a real-time intrusion detection

17
expert system which incorporates both the user profiles and the expert system
techniques. Finally, the third subsection presents a network security monitoring system
which is based on profiles of the usage of network resources.

2.5.1 The Sun C2 Security Auditing Package

The Sun Operating System (SunOS) provides a security option to match the C2 class of
the Department of Defence (DoD) Computer System Centre Evaluation Criteria. This
security option is the Sun C2 Security Auditing Package[13] which logs events and
examines audit data in batch mode.

In accordance with the C2 class requirements, the system makes users individually
accountable for their actions using login and password procedures, audits the security
relevant actions, and isolates resources[23]. The Sun C2 security features differ slightly
from those required in C2 class. These differences include encryption of passwords,
auditing of most system events, and password requirement for single-user booting.

The Sun C2 security auditing package is not a real-time system. It gathers information
about user activities, stores it in special audit files and process it in batch mode when
requested by the Security Officer of the system. The purpose of the auditing process is
to gather information about who is performing an operation, what is this operation, what
operations are occurring with unusual frequency, and who is performing abnormal
operations. Two sets of information are captured: a set of audit information for all users
at the login time (called the system audit value), and a set of audit information for each
particular user ID (called the user audit value). The format of the Sun C2 security
auditing package audit records is described in [24].

The user action types that are monitored by the Sun C2 package are first defined by the
system audit value and subsequently they are modified by the user audit value. A record
is logged in one of the audit files for each action. The Sun C2 combines the system
audit value and the user audit value to define a new term, the process audit state. The
process audit state is set at login time, and is uniquely associated with one process that a
user executes. It determines the events that should be audited for that process according
to the following three rules which are also presented on a decision matrix in Figure 2.1.

1. When the system audit state specifies auditing and the user audit state either
specifies auditing or it is not able to specify, then the event should be audited.

18
 2. When the system audit state defines auditing and the user audit state defines no
auditing, then the event is not audited.

system audit state user audit state process audit state

auditing N/A auditing
auditing no auditing no auditing
auditing auditing auditing
no auditing auditing auditing

Figure 2.1: Rules to Determine the Events that should be Audited

3. When the system audit state defines no auditing and the user audit state defines
auditing, then the event is audited.

The Sun C2 security auditing package audits sets of occurrences of events defined as
event classes. Figure 2.2 lists the event classes supported to date.

name description
dr Read of data, open for reading, etc.
dw Write or modification of data
dc Creation or deletion of any object
da Change in object access (modes, owner)
lo Login, logout, creation by at
ad Normal administrative operation
p0 Privileged operation
p1 Unusual privileged operation

Figure 2.2: List of the Sun C2 Event Classes

An audit state is signified by a flag, called the audit flag, which indicates a particular
event class. This flag determines what should be done with an event and has the
following format:

<option><class>

An option might be the symbol '+' or the symbol '-' or it might be blank. A class is any
of the above described event classes. The plus symbol defines the auditing of successful

19
events, e.g. a successful reading of a file, the minus symbol defines the auditing of
failed events, e.g. writing a file failed, whereas the absence of either defines the auditing
of both successful and failed events.

An audit value definition is a comma-separated list of audit flags. The following two
criteria guide the Security Administrator in his choice of the initial audit value:

 the level of trust of the users on the system.

 the amount of space you have for audit file systems; the more events you audit,
the more space you will need.

The audit is chosen at the installation time for all the users of a system and can be
modified later for each user, according to their suspiciousness.

Since the process audit state is set at the login time of a user, all the processes of this
user and all their child processes inherit this audit state. However, there are cases where
the audit state changes. The audit state change process is responsible for such changes
which could be either permanent changes or immediate changes, as follows:

 Permanent changes are made in cases of new login sessions, i.e. a user logs in
another session. In such a case, the audit state of this user will change and all the
new processes will inherit the new audit state, whereas the existing processes
will not.

 Immediate changes are made in the middle of a user's sessions and do not affect
new sessions. An example of an immediate change is when the Security Officer
begins documenting the activities of a suspicious user. In this case, the audit
state affects all the existing processes but not new sessions.

When the Sun C2 security auditing package has been installed, it records user events
according to the values of the parameters specified above and logs these events in
special audit files. These files are placed on a separate file system, called audit file
system. At any time the Security Officer may process the stored information and
examine the result of this processing.

The main disadvantage of this auditing system is that is not fully automated which
means that it cannot actually detect attacks. Nevertheless, it can be used as an auditing

20
system which provides audit data to assist the Security Officer's job, or as the event
collection component of an attack detection system which can use the collected audit
data for its processing.

2.5.2 IDES - A Real Time Intrusion Detection Expert System

Although during the last several years a number of automated audit trail analysis
techniques have been examined and many intrusion-detection systems have been
implemented, SRI's work is the basis of many attack detection systems. SRI
International has designed and developed a real-time comprehensive attack detection
system called Intrusion Detection Expert System (IDES)[14]. The main objective of
IDES is to provide a system independent mechanism for real-time detection of security
violations. This model provides a framework for a general purpose attack detection
system due to the fact that it is independent of any particular application environment,
level of audit data, system vulnerability, or type of intrusion. The IDES approach is
based on the hypothesis that any exploitation of a computer system's vulnerabilities
entails behaviour that deviates from previous patterns of use of the system[25].
Consequently, intrusions can be detected by observing abnormal patterns of use.

The IDES design model, the IDES system and its active processes are discussed below.

The IDES design model is divided into four parts, as shown in Figure 2.3:

1. the target system domain

2. the realm interface

3. the processing engine (event subsystem)

4. the user interface

Short descriptions of these parts are provided below.

1. The IDES target domain

The IDES target domain consists of a set of realms1 that are being monitored for
anomalous activity.

1 Inthe IDES environment, a realm is a group of similar target machines that are being monitored;
"similar" means that the machines produce audit trails that have the same format.

21
2. The realm interface

The IDES realm interface is the bridge that connects the IDES domain and the
IDES analytical components. This interface has two pieces:

 the part that resides within the IDES target domain (the realm client),

 the other one local to the IDES processor (the realm server).

These two components are responsible for collecting the target system activities
for the IDES analytical engines, and for filtering out any realm-private data and
setting it aside for specific uses as needed.

Figure 2.3: The IDES Design Model

3. The IDES processor (event subsystems)

The IDES processor is the computing environment that is responsible for the
analysis of the information acquired from the IDES domain. It is composed of
two event subsystems; one event subsystem is based on statistical methods and
another one is rule-based.

4. The IDES user interface

The IDES user interface component allows the user to view any of the
information created and processed within the IDES system (i.e., within the realm

22
 interface and the IDES event subsystems), as well as to observe any
component's status and activity.

The IDES system is composed of the following major functional components:

1. the Realm Interface that implements the interface between the IDES target
domain and the IDES processor,

2. the Statistical Anomaly Detector that implements the event subsystem based on
statistical methods[26,27],

3. the Expert System Anomaly Detector that implements the rule-based event
subsystem[28,29], and

4. the User Interface that implements the interface between the IDES processor and
the security officer.

Short descriptions of these components and their main functions are provided below.
The general functionality of the IDES is depicted in Figure 2.4.

1. Realm Interface

The realm interface is responsible for accepting the raw data, converting it to a
standard IDES audit record format, and temporarily storing it (if necessary) until
the IDES analytical components can process it. The realm interface consists of
two sub-components: a target system component (called agen) which
implements the realm client, and an IDES component (called arpool) which
implements the realm server. Agen collects raw audit data from several sources
on the target machine and translates the system's native audit record format into
a format that IDES can process.

Arpool is the clearing house for IDES audit records. Its purpose is to accept
IDES-formatted audit records from multiple target machines and serialise them
into a single stream. It then does some further processing of the data, such as
time stamping each IDES audit record and assigning a unique sequence number
to each one.

23
2. Statistical Anomaly Detector

The statistical anomaly detector implements the user profiles technique

described in Section 2.4.1. It observes behaviour on a monitored computer
system and adaptively learns what is normal for subjects. Observed behaviour is
flagged as a potential intrusion if it deviates significantly from expected
behaviour for that subject. It maintains a statistical subject knowledge base
consisting of profiles. A profile is a description of a subject's expected (i.e.,
normal) behaviour with respect to a set of intrusion-detection measures[30].
Profiles are designed to require a minimum amount of storage for historical data
and yet record sufficient information that can readily be decoded and interpreted
during anomaly detection. The profiles keep only statistics such as frequency
tables, means, and covariances.

Figure 2.4: The IDES General Functionality

24
 3. Expert System Anomaly Detector

The expert system anomaly detector implements the expert systems technique
described in Section 2.4.3. The IDES rule-based component evaluates user
behaviour by evaluating events (audit records) using a set of rules from a
knowledge base. These rules describe suspicious behaviour based on knowledge
of past intrusions, known system vulnerabilities, and the installation-specific
security policy. The user's behaviour is analysed without reference to whether it
matches past behaviour patterns. While the statistical anomaly detector attempts
to define normal behaviour for a user, the expert system anomaly detector
attempts to define proper behaviour, and to detect any breaches of etiquette.

The IDES rule-based component operates in parallel with the statistical

component. It is loosely coupled in the sense that the inferences made by the two
subsystems are independent. The rule-based detector and the statistical anomaly
detector share the same source of audit records and produce similar anomaly
reports, but the internal processing of the two systems is done in isolation.

The knowledge base of the rule-based component contains information about

known system vulnerabilities and reported attack scenarios, as well as intuitions
about suspicious behaviour.

4. User Interface

In IDES, two types of user interfaces have been implemented:

 the security officer's interface, which assimilates the output of the

anomaly detector units, and

 a set of analyst tools used for the experimentation and testing of the
IDES statistical component.

The IDES Security Officer interface maintains a continuous display of various

indicators of user behaviour on the monitored system. When IDES detects an
anomaly, it sends to the screen a message indicating the cause of the anomaly.

In conclusion, the IDES is a real-time stand-alone system which detects attacks using a
statistical anomaly detector for the implementation of the user profiles technique, and a

25
rule base for the implementation of the expert system technique. The incorporation of
these two techniques makes the IDES more efficient and reliable than other systems.

2.5.3 A Network Security Monitor

Heberlein et al[15,31] have designed an experimental Local Area Network (LAN)

monitor called the Network Security Monitor (NSM). This system develops profiles of
usage of network resources and then compares current usage patterns with the historical
profile to determine possible security violations. Its basic strategy is similar to host-
based intrusion-detection systems such as IDES described in the previous subsection.
However, the use of a hierarchical model to refine the focus of the intrusion-detection
mechanism makes this system different from others.

The main concept of the NSM hierarchical model is based on a four dimensional matrix
(similar in concept to the well-known access matrix) of which the axes are:

 Source: a host which generates traffic

 Destination: a host to which traffic is destined

 Service: a mail, a login, etc.

 Connection ID: a unique identifier for a specific connection

Each cell in the matrix represents a unique connection on the network from a source
host to a destination host by a specific service, and holds two values:

 the number of packets passed on the connection over a certain time interval,
which is also known as the counter. This counter indicates how many packets
have been generated by a single connection.

 the sum of the data carried by those packets, i.e. how many bytes of data have
been generated by the connection (a packet may contain a variable amount of
data).

26
 The data patterns in the matrix represent the current traffic; an analyser is used to
examine these patterns to determine if an attack is occurring on the system. There are
two methods of performing such an examination:

1. To compare the traffic matrix against a matrix holding a certain pattern. One
approach to implementing this method is to keep patterns of known attacks and to allow
only the current traffic measurements which have values matching those of a known
attack to pass through. Using this method, an original problem or attack could go
unnoticed; therefore the opposite approach could be more successful. In other words, the
mask should allow only measurements which do not match this 'normal' mask to pass
through. Figure 2.5 presents the latter approach in three matrices.

current data

 

data mask

 

anomalous data

Figure 2.5: Comparison of a Traffic Matrix against a Certain Pattern

27
 The first matrix depicts the mask (values) of the current data (data under
examination), the second matrix holds the values of the mask, and the third one
shows the cells that deviate from the known pattern, the anomalous data.

The NSM groups cells in a logical and hierarchical fashion in order to apply the
described examination method. The groups are then presented to a mask, which
in turn has been grouped. If a group passes through the mask, this group can be
presented to the security officer. Furthermore, the NSM can break the group into
its smaller constituents to perform a more detailed analysis.

Figure 2.6 shows the gradual grouping of cells that creates a coarse grain matrix
from a fine grain matrix.

fine grain matrix


coarse grain matrix

Figure 2.6: Gradual Grouping of Cells

28
The groupings are based on the axes of the matrix discussed above. Each level of grouping
effectively reduces the dimension of the matrix by one. These groupings include the source-
destination-service, the source-destination, and the source groups as they are described
below. The result of these groupings is a hierarchical structuring of groups from the Source
group to the individual cell, as depicted in Figure 2.7.

 Source-Destination-Service

the group associated with a specific service between two hosts

representing all the traffic flowing from the Source to the Destination by
that Service.

Source

Source-Destination

Source-Destination-Service

Figure 2.7: Searching from a coarse grain matrix analysis to a fine grain analysis

29
  Source-Destination

the aggregate of each of the service groups for a pair of hosts

representing all the traffic flowing from the Source to the Destination.

 Source

the aggregate of all the Source-Destination groups for a specific source

host representing all the traffic generated by that Source.

2. To apply a set of rules against the matrix. This method examines the current
traffic matrix applying a set of rules against the matrix. Unfortunately,
examination results have shown that not all rules apply well at all grouping
levels, so a mask may only be applicable at a single level.

The NSM system is composed of the following main components:

 the packet catcher

 the parser

 the matrix generator

 the matrix analyser

 the matrix archiver

Short descriptions of these components and their main functions are provided below:

 packet catcher

The packet catcher captures data of the traffic of a network, collects the
individual bits into separate ethernet packets, and passes each packet to the
parser. It is the only platform-dependent component of the NSM.

 parser

The parser takes the packet from the packet catcher, parses the layers of
protocol, extracts pertinent information from each layer, and passes the

30
 information to the matrix generator. The parser needs to have detailed
knowledge of the protocols it is required to parse. The pertinent information
consists of the packet's source, the packet's destination, the service, which host
initiated the connection, and a unique thread ID. Although NSM is currently
parsing only IP and TCP protocols, this pertinent information should be
available in most other protocols as well.

 matrix generator

The matrix generator takes the information passed down from the parser, finds
the cell in the Access Control Matrix (or current traffic matrix) to which the
packet belongs, and increments a counter in that cell. Due to the fact that the
number of all the possible 4-tuples <source, destination, service, connection
ID> is extremely large, a sparse matrix is implemented with linked lists and is
shared with the matrix analyser. In addition to communicating with the matrix
analyser by updating counters in the matrix cells, every time a new node has to
be generated a message is sent to the matrix analyser to indicate that a new
communication has begun.

The linked-list matrix format consists of a list of nodes containing the addresses
of hosts which have placed a packet on the network, as described below:

 Each of these source nodes has a list of nodes holding the addresses of
hosts to which the source node has sent a packet. It also contains the total
number of packets which it has generated, and it knows how many
destination nodes are below it.

 Each of these destination nodes has a list of nodes holding information

about each service used between the source and destination hosts. It also
contains the sum of all the packets which have passed between the
source and the destination, and it knows how many service nodes are
below it.

 Each service node has a list of nodes holding information about each
connection using the service between the source and destination hosts. It
also contains the sum of all the packets using the service between the
source and destination nodes, and it knows how many connection nodes
are below it.

31
  Each connection node contains the number of packets used by the
connection and which host, source or destination, initiated the
connection.

 matrix analyser

The matrix analyser examines the matrix representing the current traffic.
Specifically, it looks for unusual traffic patterns. This examination is done by
means of the two methods described above.

The matrix analyser is triggered by two different events:

 when a new node is generated by the matrix generator, a quick analysis

is made of the new connection.

 an alarm is triggered at prescribed intervals to start a thorough analysis

(the current monitor checks every 5 minutes).

The matrix analyser also handles the reporting of problems to a security officer.
When another component, the NSM user interface, is added, the matrix analyser
will then pass the results to the interface module, which will determine how to
present the results to the officer.

 matrix archiver

The matrix archiver writes the matrix representing the current traffic out to disk.
Currently, a signal to save the matrix is sent to the archiver by the matrix
analyser every 15 minutes. The size of NSM archive files is approximately two
and a half kilobytes when compressed. Thus, approximately one megabyte of
storage is used every four days. The archive files can be used to build or update
a network profile. Also, if a previously unsuspicious host is marked as
suspicious, its previous network activity can be tracked.

Essentially, the analysis phase performed by the NSM includes two procedures:
detection of specific patterns and detection of unusual patterns. These two procedures
are described below:

32
  detection of specific patterns

Detection of specific patterns in the network traffic requires the application of a

series of rules to the current matrix. The prototype currently looks for very
simple patterns: a single host communicating with more than fifteen other hosts,
logins (or attempted logins) from one host to fifteen or more other hosts, and any
attempt to communicate with a non-existent host. These rules scan for
unimaginative and systematic attempts to break into a local computer system.

 detection of unusual patterns

Detecting unusual patterns by a probabilistic analysis of the traffic requires

knowledge of what the normal traffic flow is. The current traffic matrix is then
compared to the normal/abnormal traffic mask to determine if something
unusual is happening.

In conclusion, the NSM examines the current network traffic when a new node is added,
and at five minute intervals. When a new node is added to the network, the probabilistic
analysis examines the cell against the normal/abnormal mask. At five minute intervals,
the entire traffic matrix is compared to the normal/abnormal mask and the rules.
Examining the probability that each path will exist and the probability that the amount
of traffic generated on each path is normal can be expensive, so the hierarchical search
pattern is used to limit the depth of the search. The search examines the summary
information at each index node - the grouping information mentioned previously - to
determine whether to perform an analysis deeper into the matrix or not. For example, if
two nodes are communicating within normal boundaries, further examination of the
individual services and connections may not be conducted.

Finally, the NSM's normal profile does not consist simply of a mean and a variance; it
consists of a range of values and the probability of observing a value at each range.
Careful examination of network traffic showed that data amounts were not always
distributed in a Gaussian manner; therefore, the mean and variance could not capture
the true shape of the data.

33
2.5.4 Conclusion

This section has described three attack detection systems: the Sun C2 Security Auditing
Package, the Intrusion Detection Expert System, and the Network Security Monitor.

The Sun C2 Security Auditing Package provides auditing of events selected by the
security officer of a system, and processes the audit data producing brief lists of security
relevant events which can be traced more easily. It is a batch system which does not
actually detect attacks but helps the security officer to detect suspicious users and the
actual activities of a system. In addition, the Sun C2 Security Auditing Package might
be used for the collection of audit data to support the development of an attack detection
system. The development of the Attack Detection System utilised during its first stages,
this package. Finally, an event reception module was developed to provide the required
format of audit data.

The Intrusion Detection Expert System (IDES) is a real time attack detection system. It
incorporates the use of a statistical model and an expert system. The statistical model
processes the audit data to detect masquerades and the expert system attempts to detect
users who raise suspicion because of abnormal activities in general.

The Network Security Monitor is based on the IDES concept. It uses traffic flow
analysis to detect attacks and its strategy is based on the monitoring of the usage of
network resources and not on the monitoring of users.

The Attack Detection System (ADS) described in the remaining chapters uses the expert
system technique with a rule base and applies a method of points allocation (see Section
4.3) which ensures its success and allows the incorporation of other techniques (e.g.
neural networks) in the future.

2.6 Summary

This chapter has introduced the concepts of threats and attacks in a computer system
and has discussed some of the main issues of attack detection. Furthermore, three attack
detection techniques have been presented, and three attack detection systems have been
surveyed. The target system requirements which are stated in the next chapter use as a
source these issues.

34