Professional Documents
Culture Documents
MUDDASSIR Microproject of NIS
MUDDASSIR Microproject of NIS
Micro-Project Report
On
“ATTACK DETECTION SYSTEM”
Presented By
Enrollment Number. Name
2111870 MUDDASSIR SHEIKH
2211870 MIHIR JHA
2211870 PRATHAMESH URKUDE
2211870 ADIB HAQUE
2111870 PRANJALI GRIATKAR
Guided By
Prof. DIKSHA HIWARE
Date:
Place: Wani
ACKNOWLEDGEMENT
It is great pleasure for us to acknowledge the assistance & contribution of the number of
individuals who helped us in presenting the Project “Attack detection System”. We have
successfully completed our project with the handful support of Staff, Project Partners,
External Resources, etc. We acknowledge all of them & them for their support.
Special thanks to project guide Miss Diksha Hiwre who gave us the valuable guidelines for the
seminar & project work. We whole heartedly thank all the staff members & every possible
person who possibly helped us in this project.
We would like to give away gratitude to Prof. Shamali Kadu Head of Computer Engg.
Department for prior support in terms of morality, technical aspects & relative guidance
required for the “Attack detection System” which helped us get better grip & quality in every
aspect of project .
Our sincere thanks to Mrs. Pushpa Rani, Principal, Sushganga Polytechnic, Wani; for providing
us an opportunity to present & express the ideas of our project.
Thanking You ,
Students
Table of Contents
Summary i
Acknowledgements ii
Declaration iii
1 Introduction 1
1.1 Overview 1
1.2 Rationale 1
1.3 Problem Definition 2
1.4 Results 3
1.5 The Concept of the Attack Detection System (ADS) 3
1.6 Outline of the Thesis 5
1.7 Summary 6
Attack Detection Systems for secure computer systems are an approach to enhancing
the security of a computer system. In the past, they aimed at only providing a trail
which could be useful in determining how a system was breached and who was
responsible for this breach. More recently, attack detection systems have become
automated tools which analyse audit data captured from a system, detect attacks as they
take place and take measures to prevent further damage to the target system.
The Attack Detection System (ADS) discussed in this thesis is a real-time attack
detection system which allocates points to users who are attempting to attack the target
system, detects attacks by examining the number of points each user has been given,
and takes countermeasures according to this number of points.
Within this thesis, the development of the ADS is presented. The thesis begins with an
overview and survey of the attack detection subject area. This is followed by the
introduction and analysis of the target system service and the user interface
requirements. These requirements are used as basis for the functional design of the
ADS. Subsequently, the low level design is discussed. Based on this design, the
implementation of the ADS is described. Finally, the system is evaluated and criticised
against the requirements stated. In the light of this critique, suggestions and possible
improvements of the ADS are discussed.
i
1 Introduction
1.1 Overview
This thesis describes the design and implementation of an attack detection system for
secure computer systems, called the Attack Detection System (ADS). In comparison
with other attack detection systems (see Chapter 2), the ADS described herein is a real-
time system which provides flexibility in order to be more effective in detecting attacks.
This chapter introduces the work of the thesis. It gives the rationale for the work carried
out and defines the problem which was solved, as well as the most significant results of
this work. The overall concept of the ADS is presented and finally an outline of the
thesis is given.
1.2 Rationale
In the last few years, many organisations have adopted the use of auditing systems.
Auditing systems capture all events that occur on a computer system, and keep logs of
the audit data in special files for security analysis. In the beginning, the analysis of log
files was carried out by the security officer of the system, who had to search all the
1
printed audit data to detect security violations. The large volume of data made this
difficult. The need for tools for automated security analysis of audit data became
evident. Such a system is called an attack (or intrusion) detection system and must have
the following goals:
In conclusion, there is a need for an attack detection system that can provide protection
to a computer system by detecting security violations in real-time. Therefore, the
problem to be solved was defined as stated in the next section.
The overall goal of the work presented is to provide a real-time attack detection system
which will detect attacks on a computer system and will instruct the computer system to
take action to prevent further security violations.
The problem to be solved was the design and implementation of a real-time attack
detection system for secure computer systems which could:
2
decide (in real-time) if an attack is taking place
send a signal to inform the security officer of a system when an attack occurs
These requirements define the problem that was solved by the implementation of the
Attack Detection System. The next section presents the essential results of this
implementation.
1.4 Results
An attack detection system for secure computer systems has been implemented, called
the Attack Detection System (ADS). This system is a real-time rule-based system which
provides an audit trail for all computer system events, detects attacks by analysing audit
data, and takes measures to prevent additional attacks when an attack occurs.
This attack detection system uses a novel method for detecting attacks, the point
allocation method (see Section 4.3). According to this method, the ADS allocates points
to users who are attempting to attack a computer system. Based on these points, the
ADS takes countermeasures to protect the computer system.
Furthermore, the Attack Detection System is modifiable. This allows the administrator
of the attack detection system to improve its effectiveness. The concept of the Attack
Detection System is described in the next section.
The Attack Detection System (ADS) which is the subject of this thesis aims at
providing enhanced security in a computer system called the target system. The ADS
carries out the main functions described below in order to fulfil its goal. Figure 1.1
depicts these functions and the inter-function communication within the ADS.
3
Event Collection
The Attack Detection System monitors all target system activities called events,
and logs these events in a data base called Event Data Base (EDB).
Furthermore, it examines each event in order to filter the events which are of
potential relevance from a security point of view.
Attack Detection
Analysis of the audit records and detection of attacks in real-time. The ADS
applies a rule-based technique to detect attacks, which implies the use of a rule
4
base called Rule Base (RB). When the ADS detects that a user is acting
suspiciously, it counteracts by automatically deciding upon an action and
instructing the target system to take this action.
The ADS informs the Security Officer (SO) of the target system about attacks
detected and suspicious users. It also gives to the SO a picture of all events that
have occurred on the target system.
This function allows the administrator of the ADS to modify the Rule Base in
order to adjust the ADS to the target system.
The ADS provides this special function to maintain the Event Data Base (EDB)
which is the collection of the audit data files. In particular, the purpose of this
function is to retrieve and store records in the EDB.
The ADS provides also a function to maintain the Rule Base (RB) which
consists of rules. In particular, this function retrieves, stores, updates, and
deletes records from the RB.
The first chapter has outlined the attack detection area and has described the problem to
be solved, the most significant results of the work carried out and a brief description of
the Attack Detection System.
5
Chapter 2 introduces threats and attacks, overviews the attack detection area, describes
the most commonly used attack detection techniques and reviews three existing attack
detection systems.
Chapter 3 presents the target system requirements which have been derived from the
study carried out in Chapter 2. These requirements are categorised into the target system
service requirements and the user interface requirements.
Chapter 4 states the functional specification of the Attack Detection System according
to the target system requirements, and presents the high level design of the ADS.
Chapter 5 presents the low level design of the ADS. This presentation includes detailed
descriptions of the design of each module.
Chapter 6 presents the ADS implementation according to the design. This includes
justifications of implementation decisions, explanations of how the designed modules
have been implemented, and examples of the ADS testing carried out.
1.7 Summary
The widespread use of computer networks and distributed systems in computing (e.g. in
Health Care Establishments, business, industry) as well as the lack of sufficient
protection by today's security mechanisms highlight the need for attack detection
systems. The Attack Detection System (ADS) presented in this thesis is a rule-based
system which provides real-time attack detection. It uses a method of points allocation
in order to categorise users according to their suspicion, and takes countermeasures to
protect the target system from further attacks. The following chapters show how this
system was developed by presenting the requirements, functional specification, design,
implementation and testing of the ADS.
6
2 Overview of Attack Detection
2.1 Introduction
The growing spread of computer networks and distributed systems has created a number
of threats to the security of these systems. The main source of these threats is users who
use methods of attack to damage a system. Due to the fact that the use of security
mechanisms has proved insufficient to protect a computer system from such threats, the
use of an attack detection system seems to be an advanced solution for many
organisations and institutions. Such a system should be able to log all events of a
computer system, and analyse them in order to detect attacks.
This chapter gives an overview of the attack detection area by discussing issues of
security and attack detection. Specifically, it introduces the notion of threats and attacks
giving descriptions of threat sources, types of threats, attack categories, and methods of
attack.
This chapter then presents the concept of attack detection, and three techniques that
could be used for attack detection: user profiles[9], neural networks[10], and expert
systems[11,12].
Finally, a review of existing attack detection systems includes the presentation of three
attack detection systems: the Sun C2 Security Auditing Package[13], the Intrusion
Detection Expert System[14] and the Network Security Monitor[15].
7
or in some way negatively affect the working of a computer system, or to damage the
interest of the organisation owning the system.
The source of a threat might be one of three factors: physical, human, and technical, as
they are described below:
physical factor
The physical factor includes natural disasters such as fire, storm and water
damage.
human factor
The human factor is the main source of computer breaches and includes
unauthorised users who wish to damage a system and authorised users of a
system who misuse the system either deliberately or accidentally.
technical factor
The technical factor is the equipment of a system which might fail to carry out
its functions (equipment failure) or might carry them out in an inappropriate way
(equipment malfunction).
There are different types of threats that may endanger a computer system. Short
descriptions of the types of threats to be addressed in a computer network follow in the
next section.
In general terms, the target of a threat is the computer system. In particular, the assets of
a computer system, i.e. the hardware, the software, the data, etc., are subject to threats.
The following list of types of threats describes the results to the above assets that might
become apparent when threats have been realised[3,5,16].
8
Disclosure of Information
Corruption of Information
Unauthorised use of the resources (CPU, disk, I/O devices, etc.) of a system may
lead to destruction, alteration or loss of integrity of the resources, and lack of
availability of the resources for authorised activities.
Misuse of Resources
Denial of Service
Denial of service includes the failure of a system to carry out one or more of its
functions. The threat of denial of service in the computer network of an
organisation which is dependant to a great degree on IT for its operations is
potentially catastrophic. For this reason, this threat must be considered
thoroughly as part of any security policy.
9
Apart from this list of threats there is also another threat, the Repudiation of Information
Flow. The repudiation of information flow involves denial of transmission or receipt of
messages. Although this is a considerable threat in a networked environment which
conveys valuable information, it does not actually endanger a computer system.
Repudiation is a threat by one user against another, not a threat to the system as a
whole, and thus why it is not included in the above list.
When a threat has been realised an attack is said to take place. Attacks are categorised
into accidental and intentional attacks according to the attacker's intentions and into
passive and active attacks according to their effects on the system. Descriptions of these
attack categories follow[3]:
Accidental Attacks
Accidental attacks are those that occur with no premeditated intent. Such attacks
occur as a result of system malfunctions, operational blunders, software bugs,
and user mistakes.
Intentional Attacks
Intentional attacks are those that occur with premeditated intent, and may range
from casual data and system examination using easily available monitoring tools
to sophisticated attacks using special system knowledge.
Passive Attacks
Active Attacks
10
2.2.3 Methods of Attacks
Some methods of attack that could be used against a computer network are:
Bogus Frame Insert: A user inserts bogus frames into the message
stream either synthesised or saved from a previous connection.
Traffic Flow Analysis: Examining the flow of messages across a network. The
frequency, length and addresses (both source and destination) of messages are
analysed.
11
Replay: "Playing back" a recording of a previous legitimate message.
Denial of sending a message or its contents: A user denies the fact of sending a
message or its original content.
Denial of receiving a message or its contents: A user denies the fact of receiving
a message or its original content.
The attack detection systems are an approach to enhancing the security of a computer
system. These systems are based on the auditing of events that take place on a computer
system. They aim to provide a trail which could be useful in determining how the
system was breached and who was responsible for this breach. However, they do not
prevent breaches[3].
Essentially, the attack detection area comprises the following four aspects: the event
monitoring, the event analysis, the attack detection and the counteraction aspect.
Event Monitoring
The event monitoring includes the capture of the events of a computer system by
a specific module called an audit trail, and the recording and storing of these
events in special files in a predetermined format. Each record of those files
represents an event called an audit record.
Event Analysis
The event analysis covers the division between the security relevant and security
irrelevant events. Examples of such security-relevant events are unsuccessful
attempts to read, write, or delete a file.
12
Attack Detection
The attack detection forms the central part of the system including the
characterisation of the suspicious security relevant events as attacks.
Counteraction
Computer system audit trails are analysed with the use of automated tools. These
automated tools first attempt to isolate security relevant events, so that they can reduce
the large volume of audit data. Subsequently, they examine the security relevant audit
records to detect actual attacks. This examination may take place after the attack or in
real-time. The following types of audit data examination are relevant for security
purposes[9]:
The examination of audit trails involves the analysis of the users activities of a
computer system. Anderson[19] has attempted a categorisation of users upon whom
attention should be focused in an audit trail examination, as follows:
13
internal penetrators: authorised users of a system who are not authorised for the
use of resources accessed. This category also includes masqueraders who
operate under another user's identity, and clandestine users who evade auditing
and access controls.
The detection of attacks carried out by the user categories described above requires the
use of attack detection techniques. A survey of the existing techniques is presented in
the next section.
The design and implementation of an attack detection system requires the use of
appropriate techniques which will achieve the goals of such a project. In recent years,
many research groups and institutions have developed and experimented with different
methods of detecting attacks. Three attack detection techniques have gained favour:
user profiles[9], neural networks[10], and expert systems[11,12].
The user profiles technique aims at distinguishing users from one another. This
approach is based on user patterns of computer system usage, and on the fact that user
behaviour characteristics may be used to discriminate between normal user behaviour
and departures from it.
14
In addition to the measures described above, the user profiles technique can be used to
examine other user characteristics related to user's keyboard use. A user's keyboard
activity includes measures like typing speed, typing errors, etc.
Due to the fact that a user's behaviour is very complex, and observation and detection of
departures from the normal activity of a user is quite difficult, the technique described
in the previous subsection may cause a significant number of false alarms. These alarms
can mislead the statistical algorithms used for this detection approach, so that
undetected attacks can pass through a system. Neural networks have been used in recent
years in an attempt to progressively replace the user profiles technique[20]. Laurene
Fausett[21] defines neural networks as follows:
One of the areas in which neural networks are currently being applied is the general area
of pattern recognition[22]. The user profiles technique described in the previous section
falls into this general area. Teresa Lunt[10] has attempted a description of the problems
that neural networks seem to solve if used in replacement to the user profiles technique:
In some cases statistical methods require the use of assumptions about the
underlying distributions of user behaviour, such as a Gaussian distribution of
deviations from a norm. Invalid assumptions may lead to a high false-alarm rate.
Neural networks do not require such assumptions, thus a neural network
approach can increase the reliability of an attack detection system.
15
difficult[9]. Regarding the evaluation process, a measure may seem to be
ineffective when considered for all users, but may be useful or totally effective
for some particular user. A neural network can serve as a tool which helps the
evaluation process of various sets of measures.
The revising of old statistical algorithms and building new software is a time
consuming procedure. In addition, it is costly to reconstruct existing statistical
algorithms and to modify the software which implements them. Neural network
implementation has proved easier to maintain and adopt[9].
Difficulty in scaling
The use of a statistical approach causes new problems when the number of users
to be monitored is large, e.g. thousands of users. Therefore, the need for
methods which will be used to assign individuals to groups on the basis of
similarity of behaviour, becomes apparent. Such a method results in the need to
maintain group profiles instead of a profile for each user. Although there are a
number of characteristics that could assist this grouping, such as job title, shift,
responsibilities, etc., this approach may prove inadequate. A neural network
could be used to classify users according to their actual observed behaviour, thus
making group monitoring more effective.
Although the neural network technique seems to be promising for intrusion detection
systems, Lunt believes that a neural network approach cannot simply replace a
statistical-based approach[9].
The expert systems technique uses traditional expert system technology which simply
includes the codification of the knowledge of experts in intrusion detection into the
form of rules. These rules are maintained into a rule base and are used to examine the
audit data for suspicious activity.
Several projects have adopted the expert system technique to fill some of the gaps in the
statistical-based approach. In the Intrusion Detection Expert System (IDES)[14]
16
approach described in Section 2.5.2, the rule base contains encoded information about
known system vulnerabilities, reported attack scenarios and intuition about suspicious
behaviour. These rules do not depend on past user or system behaviour. An example of
such a rule might be that more than three unsuccessful login attempts for the same user
identity within five minutes is to be treated as a penetration activity.
Although the expert system technique can be used to fill some of the gaps in the
statistical-based technique, it also has two limitations[9] as described below:
The rules have information about known vulnerabilities and attacks, but not
about unknown ones.
2.4.4 Conclusion
The presentation of attack detection techniques shows that none of these techniques
could be sufficient alone, because each addresses a certain user category and/or some of
the methods of attack[9]. A successful intrusion detection system should incorporate a
number of these techniques.
Although the Attack Detection System (ADS) described in the remainder chapters uses
only the expert system technique, the results showed that its successfulness is
satisfactory (see Chapter 7). On the other hand the ADS is a flexible system which
allows the incorporation of other techniques in the future. This is facilitated by the use
of a method of points allocation described in Section 4.3.
This section is divided into three subsections. The first subsection presents a security
auditing package which has been implemented to assist the security officer's job. The
second one gives a description of the functionality of a real-time intrusion detection
17
expert system which incorporates both the user profiles and the expert system
techniques. Finally, the third subsection presents a network security monitoring system
which is based on profiles of the usage of network resources.
The Sun Operating System (SunOS) provides a security option to match the C2 class of
the Department of Defence (DoD) Computer System Centre Evaluation Criteria. This
security option is the Sun C2 Security Auditing Package[13] which logs events and
examines audit data in batch mode.
In accordance with the C2 class requirements, the system makes users individually
accountable for their actions using login and password procedures, audits the security
relevant actions, and isolates resources[23]. The Sun C2 security features differ slightly
from those required in C2 class. These differences include encryption of passwords,
auditing of most system events, and password requirement for single-user booting.
The Sun C2 security auditing package is not a real-time system. It gathers information
about user activities, stores it in special audit files and process it in batch mode when
requested by the Security Officer of the system. The purpose of the auditing process is
to gather information about who is performing an operation, what is this operation, what
operations are occurring with unusual frequency, and who is performing abnormal
operations. Two sets of information are captured: a set of audit information for all users
at the login time (called the system audit value), and a set of audit information for each
particular user ID (called the user audit value). The format of the Sun C2 security
auditing package audit records is described in [24].
The user action types that are monitored by the Sun C2 package are first defined by the
system audit value and subsequently they are modified by the user audit value. A record
is logged in one of the audit files for each action. The Sun C2 combines the system
audit value and the user audit value to define a new term, the process audit state. The
process audit state is set at login time, and is uniquely associated with one process that a
user executes. It determines the events that should be audited for that process according
to the following three rules which are also presented on a decision matrix in Figure 2.1.
1. When the system audit state specifies auditing and the user audit state either
specifies auditing or it is not able to specify, then the event should be audited.
18
2. When the system audit state defines auditing and the user audit state defines no
auditing, then the event is not audited.
3. When the system audit state defines no auditing and the user audit state defines
auditing, then the event is audited.
The Sun C2 security auditing package audits sets of occurrences of events defined as
event classes. Figure 2.2 lists the event classes supported to date.
name description
dr Read of data, open for reading, etc.
dw Write or modification of data
dc Creation or deletion of any object
da Change in object access (modes, owner)
lo Login, logout, creation by at
ad Normal administrative operation
p0 Privileged operation
p1 Unusual privileged operation
An audit state is signified by a flag, called the audit flag, which indicates a particular
event class. This flag determines what should be done with an event and has the
following format:
<option><class>
An option might be the symbol '+' or the symbol '-' or it might be blank. A class is any
of the above described event classes. The plus symbol defines the auditing of successful
19
events, e.g. a successful reading of a file, the minus symbol defines the auditing of
failed events, e.g. writing a file failed, whereas the absence of either defines the auditing
of both successful and failed events.
An audit value definition is a comma-separated list of audit flags. The following two
criteria guide the Security Administrator in his choice of the initial audit value:
the amount of space you have for audit file systems; the more events you audit,
the more space you will need.
The audit is chosen at the installation time for all the users of a system and can be
modified later for each user, according to their suspiciousness.
Since the process audit state is set at the login time of a user, all the processes of this
user and all their child processes inherit this audit state. However, there are cases where
the audit state changes. The audit state change process is responsible for such changes
which could be either permanent changes or immediate changes, as follows:
Permanent changes are made in cases of new login sessions, i.e. a user logs in
another session. In such a case, the audit state of this user will change and all the
new processes will inherit the new audit state, whereas the existing processes
will not.
Immediate changes are made in the middle of a user's sessions and do not affect
new sessions. An example of an immediate change is when the Security Officer
begins documenting the activities of a suspicious user. In this case, the audit
state affects all the existing processes but not new sessions.
When the Sun C2 security auditing package has been installed, it records user events
according to the values of the parameters specified above and logs these events in
special audit files. These files are placed on a separate file system, called audit file
system. At any time the Security Officer may process the stored information and
examine the result of this processing.
The main disadvantage of this auditing system is that is not fully automated which
means that it cannot actually detect attacks. Nevertheless, it can be used as an auditing
20
system which provides audit data to assist the Security Officer's job, or as the event
collection component of an attack detection system which can use the collected audit
data for its processing.
Although during the last several years a number of automated audit trail analysis
techniques have been examined and many intrusion-detection systems have been
implemented, SRI's work is the basis of many attack detection systems. SRI
International has designed and developed a real-time comprehensive attack detection
system called Intrusion Detection Expert System (IDES)[14]. The main objective of
IDES is to provide a system independent mechanism for real-time detection of security
violations. This model provides a framework for a general purpose attack detection
system due to the fact that it is independent of any particular application environment,
level of audit data, system vulnerability, or type of intrusion. The IDES approach is
based on the hypothesis that any exploitation of a computer system's vulnerabilities
entails behaviour that deviates from previous patterns of use of the system[25].
Consequently, intrusions can be detected by observing abnormal patterns of use.
The IDES design model, the IDES system and its active processes are discussed below.
The IDES design model is divided into four parts, as shown in Figure 2.3:
The IDES target domain consists of a set of realms1 that are being monitored for
anomalous activity.
1 Inthe IDES environment, a realm is a group of similar target machines that are being monitored;
"similar" means that the machines produce audit trails that have the same format.
21
2. The realm interface
The IDES realm interface is the bridge that connects the IDES domain and the
IDES analytical components. This interface has two pieces:
the part that resides within the IDES target domain (the realm client),
the other one local to the IDES processor (the realm server).
These two components are responsible for collecting the target system activities
for the IDES analytical engines, and for filtering out any realm-private data and
setting it aside for specific uses as needed.
The IDES processor is the computing environment that is responsible for the
analysis of the information acquired from the IDES domain. It is composed of
two event subsystems; one event subsystem is based on statistical methods and
another one is rule-based.
The IDES user interface component allows the user to view any of the
information created and processed within the IDES system (i.e., within the realm
22
interface and the IDES event subsystems), as well as to observe any
component's status and activity.
1. the Realm Interface that implements the interface between the IDES target
domain and the IDES processor,
2. the Statistical Anomaly Detector that implements the event subsystem based on
statistical methods[26,27],
3. the Expert System Anomaly Detector that implements the rule-based event
subsystem[28,29], and
4. the User Interface that implements the interface between the IDES processor and
the security officer.
Short descriptions of these components and their main functions are provided below.
The general functionality of the IDES is depicted in Figure 2.4.
1. Realm Interface
The realm interface is responsible for accepting the raw data, converting it to a
standard IDES audit record format, and temporarily storing it (if necessary) until
the IDES analytical components can process it. The realm interface consists of
two sub-components: a target system component (called agen) which
implements the realm client, and an IDES component (called arpool) which
implements the realm server. Agen collects raw audit data from several sources
on the target machine and translates the system's native audit record format into
a format that IDES can process.
Arpool is the clearing house for IDES audit records. Its purpose is to accept
IDES-formatted audit records from multiple target machines and serialise them
into a single stream. It then does some further processing of the data, such as
time stamping each IDES audit record and assigning a unique sequence number
to each one.
23
2. Statistical Anomaly Detector
24
3. Expert System Anomaly Detector
The expert system anomaly detector implements the expert systems technique
described in Section 2.4.3. The IDES rule-based component evaluates user
behaviour by evaluating events (audit records) using a set of rules from a
knowledge base. These rules describe suspicious behaviour based on knowledge
of past intrusions, known system vulnerabilities, and the installation-specific
security policy. The user's behaviour is analysed without reference to whether it
matches past behaviour patterns. While the statistical anomaly detector attempts
to define normal behaviour for a user, the expert system anomaly detector
attempts to define proper behaviour, and to detect any breaches of etiquette.
4. User Interface
a set of analyst tools used for the experimentation and testing of the
IDES statistical component.
In conclusion, the IDES is a real-time stand-alone system which detects attacks using a
statistical anomaly detector for the implementation of the user profiles technique, and a
25
rule base for the implementation of the expert system technique. The incorporation of
these two techniques makes the IDES more efficient and reliable than other systems.
The main concept of the NSM hierarchical model is based on a four dimensional matrix
(similar in concept to the well-known access matrix) of which the axes are:
Each cell in the matrix represents a unique connection on the network from a source
host to a destination host by a specific service, and holds two values:
the number of packets passed on the connection over a certain time interval,
which is also known as the counter. This counter indicates how many packets
have been generated by a single connection.
the sum of the data carried by those packets, i.e. how many bytes of data have
been generated by the connection (a packet may contain a variable amount of
data).
26
The data patterns in the matrix represent the current traffic; an analyser is used to
examine these patterns to determine if an attack is occurring on the system. There are
two methods of performing such an examination:
1. To compare the traffic matrix against a matrix holding a certain pattern. One
approach to implementing this method is to keep patterns of known attacks and to allow
only the current traffic measurements which have values matching those of a known
attack to pass through. Using this method, an original problem or attack could go
unnoticed; therefore the opposite approach could be more successful. In other words, the
mask should allow only measurements which do not match this 'normal' mask to pass
through. Figure 2.5 presents the latter approach in three matrices.
current data
data mask
anomalous data
27
The first matrix depicts the mask (values) of the current data (data under
examination), the second matrix holds the values of the mask, and the third one
shows the cells that deviate from the known pattern, the anomalous data.
The NSM groups cells in a logical and hierarchical fashion in order to apply the
described examination method. The groups are then presented to a mask, which
in turn has been grouped. If a group passes through the mask, this group can be
presented to the security officer. Furthermore, the NSM can break the group into
its smaller constituents to perform a more detailed analysis.
Figure 2.6 shows the gradual grouping of cells that creates a coarse grain matrix
from a fine grain matrix.
coarse grain matrix
28
The groupings are based on the axes of the matrix discussed above. Each level of grouping
effectively reduces the dimension of the matrix by one. These groupings include the source-
destination-service, the source-destination, and the source groups as they are described
below. The result of these groupings is a hierarchical structuring of groups from the Source
group to the individual cell, as depicted in Figure 2.7.
Source-Destination-Service
Source
Source-Destination
Source-Destination-Service
Figure 2.7: Searching from a coarse grain matrix analysis to a fine grain analysis
29
Source-Destination
Source
2. To apply a set of rules against the matrix. This method examines the current
traffic matrix applying a set of rules against the matrix. Unfortunately,
examination results have shown that not all rules apply well at all grouping
levels, so a mask may only be applicable at a single level.
the parser
Short descriptions of these components and their main functions are provided below:
packet catcher
The packet catcher captures data of the traffic of a network, collects the
individual bits into separate ethernet packets, and passes each packet to the
parser. It is the only platform-dependent component of the NSM.
parser
The parser takes the packet from the packet catcher, parses the layers of
protocol, extracts pertinent information from each layer, and passes the
30
information to the matrix generator. The parser needs to have detailed
knowledge of the protocols it is required to parse. The pertinent information
consists of the packet's source, the packet's destination, the service, which host
initiated the connection, and a unique thread ID. Although NSM is currently
parsing only IP and TCP protocols, this pertinent information should be
available in most other protocols as well.
matrix generator
The matrix generator takes the information passed down from the parser, finds
the cell in the Access Control Matrix (or current traffic matrix) to which the
packet belongs, and increments a counter in that cell. Due to the fact that the
number of all the possible 4-tuples <source, destination, service, connection
ID> is extremely large, a sparse matrix is implemented with linked lists and is
shared with the matrix analyser. In addition to communicating with the matrix
analyser by updating counters in the matrix cells, every time a new node has to
be generated a message is sent to the matrix analyser to indicate that a new
communication has begun.
The linked-list matrix format consists of a list of nodes containing the addresses
of hosts which have placed a packet on the network, as described below:
Each of these source nodes has a list of nodes holding the addresses of
hosts to which the source node has sent a packet. It also contains the total
number of packets which it has generated, and it knows how many
destination nodes are below it.
Each service node has a list of nodes holding information about each
connection using the service between the source and destination hosts. It
also contains the sum of all the packets using the service between the
source and destination nodes, and it knows how many connection nodes
are below it.
31
Each connection node contains the number of packets used by the
connection and which host, source or destination, initiated the
connection.
matrix analyser
The matrix analyser examines the matrix representing the current traffic.
Specifically, it looks for unusual traffic patterns. This examination is done by
means of the two methods described above.
The matrix analyser also handles the reporting of problems to a security officer.
When another component, the NSM user interface, is added, the matrix analyser
will then pass the results to the interface module, which will determine how to
present the results to the officer.
matrix archiver
The matrix archiver writes the matrix representing the current traffic out to disk.
Currently, a signal to save the matrix is sent to the archiver by the matrix
analyser every 15 minutes. The size of NSM archive files is approximately two
and a half kilobytes when compressed. Thus, approximately one megabyte of
storage is used every four days. The archive files can be used to build or update
a network profile. Also, if a previously unsuspicious host is marked as
suspicious, its previous network activity can be tracked.
Essentially, the analysis phase performed by the NSM includes two procedures:
detection of specific patterns and detection of unusual patterns. These two procedures
are described below:
32
detection of specific patterns
In conclusion, the NSM examines the current network traffic when a new node is added,
and at five minute intervals. When a new node is added to the network, the probabilistic
analysis examines the cell against the normal/abnormal mask. At five minute intervals,
the entire traffic matrix is compared to the normal/abnormal mask and the rules.
Examining the probability that each path will exist and the probability that the amount
of traffic generated on each path is normal can be expensive, so the hierarchical search
pattern is used to limit the depth of the search. The search examines the summary
information at each index node - the grouping information mentioned previously - to
determine whether to perform an analysis deeper into the matrix or not. For example, if
two nodes are communicating within normal boundaries, further examination of the
individual services and connections may not be conducted.
Finally, the NSM's normal profile does not consist simply of a mean and a variance; it
consists of a range of values and the probability of observing a value at each range.
Careful examination of network traffic showed that data amounts were not always
distributed in a Gaussian manner; therefore, the mean and variance could not capture
the true shape of the data.
33
2.5.4 Conclusion
This section has described three attack detection systems: the Sun C2 Security Auditing
Package, the Intrusion Detection Expert System, and the Network Security Monitor.
The Sun C2 Security Auditing Package provides auditing of events selected by the
security officer of a system, and processes the audit data producing brief lists of security
relevant events which can be traced more easily. It is a batch system which does not
actually detect attacks but helps the security officer to detect suspicious users and the
actual activities of a system. In addition, the Sun C2 Security Auditing Package might
be used for the collection of audit data to support the development of an attack detection
system. The development of the Attack Detection System utilised during its first stages,
this package. Finally, an event reception module was developed to provide the required
format of audit data.
The Intrusion Detection Expert System (IDES) is a real time attack detection system. It
incorporates the use of a statistical model and an expert system. The statistical model
processes the audit data to detect masquerades and the expert system attempts to detect
users who raise suspicion because of abnormal activities in general.
The Network Security Monitor is based on the IDES concept. It uses traffic flow
analysis to detect attacks and its strategy is based on the monitoring of the usage of
network resources and not on the monitoring of users.
The Attack Detection System (ADS) described in the remaining chapters uses the expert
system technique with a rule base and applies a method of points allocation (see Section
4.3) which ensures its success and allows the incorporation of other techniques (e.g.
neural networks) in the future.
2.6 Summary
This chapter has introduced the concepts of threats and attacks in a computer system
and has discussed some of the main issues of attack detection. Furthermore, three attack
detection techniques have been presented, and three attack detection systems have been
surveyed. The target system requirements which are stated in the next chapter use as a
source these issues.
34