ids_newm

Document Sample
ids_newm Powered By Docstoc
					   New Methods of Intrusion Detection using Control-
                 Loop Measurement
                                   May 16, 1996

             Myron L. Cramer <myron.cramer@gtri.gatech.edu>
             James Cannady <james.cannady@gtri.gatech.edu>
                Jay Harrell <jay.harrell@gtri.gatech.edu>
                       Georgia Tech Research Institute
                       Georgia Institute of Technology
                         Atlanta, Georgia 30332-0800

      This paper describes a new concept in network intrusion detection
      based up statistical recognition of an intruder's control-loop. These
      criteria offer advantages in infinite networks and where a priori
      attack scenarios are not known. This paper describes the need for
      better intrusion detection methods, the applicability of digital signal
      processing to real-time network surveillance, the concept of control-
      loop behavior, and the design of an innovative intrusion detection
      system employing these. We also discuss the benefits of this new
      system in comparison with alternative technologies.

Purpose
    The purpose of this paper is to describe some new ideas in intrusion detection.
These ideas are based upon a review of the physics of the problem and an analysis
of applicable technological approaches. The proposed new methods reflect
concepts still in development and evaluation by the authors. This paper includes
discussion of the need for better Intrusion Detection Systems (IDS), Intrusion
Detection System Operational Concepts, Applicability of Digital Signal Processing
(DSP) to Intrusion Detection System design, Control-Loop Concepts, Use of the
above in an Intrusion Detection System, and the benefits of this approach.

Role of Intrusion Detection
   As illustrated in Figure 1, intrusion detection systems (IDSs) can be viewed as
the second layer of protection against unauthorized access to networked
information systems. It is believed that no reasonable access control system can
preclude intrusions. Despite the best access control systems, intruders are still
able to enter computer networks with greater frequency than anyone would like.
IDSs augment the security provided by the access control systems by providing
system administrators with warning of the intrusion and information to assist in
damage control or mitigation. Although IDSs can be designed to verify the proper
operation of access control systems by looking for the attacks that get past the
access control systems, this second layer is a most useful when it can detect
intrusions that use methods that are different from those looked for by the access
control systems. To do this they must use more general and more powerful
methods than simple data base look-ups of known attack scenarios. An effective
intrusion detection is necessary to cue response options.


                                         1
New Methods of Intrusion Detection               Technology for Information Systems Security – May, 1996




                                        RESPOND


                                         DETECT
                                       INTRUDERS


                                        CONTROL
                                         ACCESS

           Figure 1. Intrusion Detection Systems are the Second Layer of Defense

    Characteristics of Intrusion Detection Systems
       In order to satisfy its functions, the ideal intrusion detection system should
    have the following characteristics:
        Timeliness:            It should detect intrusions either while they are
                               happening or shortly afterwards.
        High probability of It should recognize all or most intrusions.
         detection:
        Low false-alarm        It should have a low number of false intrusion alarms.
         rate:
        Specificity:           In identifying attacks, it should give sufficient
                               characterization data to support an effective response.
        Scalability:           It should be applicable to large (infinite) networks.
        Low a priori           It should requires a minimum of a priori information
         information:          about potential attackers and their methods.

       Although these characteristics appear compelling, they have not been
    available, nor are they likely to result from traditional approaches. The
    performance of IDSs can be described in various ways. In evaluating the
    performance of IDSs as they become available, quantitative performance metrics
    will be useful. In the simplest level, there are three fundamental classes of
    metrics which could be used, quantity, quality, and time, as illustrated in
    Figure 2.




                                             2
New Methods of Intrusion Detection                                 Technology for Information Systems Security – May, 1996




                            Quantity                                                 Time
                      #   nodes protected
                      #   computers monitored                                 Mean Time to Detect
                      #   threats recognized                                  Mean Time to Sound Alarm
                      #   users tracked                                       Data Currency
                      #
                      #
                          simultaneous attacks
                          alarms
                                                        Quality
                      #   system administrators
                                                  Probability of Detection
                                                  False Alarm Rate
                                                  Undetected Intrusion Rate




       Figure 2. Performance Metrics for IDSs include Quantity, Quality, and Time

        Quantitative metrics include the number of nodes protected, the number of
    user profiles tracked, the number of simultaneous attacks that can be tracked,
    and the number system administrators supported. The number of simultaneous
    attacks is significant in light of attack strategies which include the use of large
    feint attacks intended to distract responses from the real attacks.

    Scope of Intrusion Detection Systems
       The Scope of an IDS includes the types and quantities of systems to be
    supported, the types of threats or attackers considered, the types of intrusion
    activities addressed by the system. Some systems may be designed primarily for
    insider threats: they monitor user activities and ensuring that they remain
    within norms. Other systems may focus on backing up the access control systems
    and ensure that specified attack scenarios are not able to enter the networks.

       System to be Protected: The protected system can be an individual machine or
    a network of machines. Problems arises in trying to protect a network by
    installing individual protection on each machine in the network. These problems
    include configuring, managing, monitoring, and coordinating distributed
    intrusion detection activity. In many instances, protecting the network can be
    more important than protecting some of the individual processors!

        Attackers: There are wide differences in the types of possible threats. The
    degrees of threats can range from the recreational hacker to the full-scale “Type
    II Information Warfare Attack” directed and focused, and in some instances
    funded by national government or well-resourced organizations. Objectives of
    attacks may include attempts to compromise confidentiality, authentication,
    integrity, or the availability of services.




                                                             3
New Methods of Intrusion Detection                Technology for Information Systems Security – May, 1996



    Classification of IDSs
        The “standard” classifications of IDSs includes the following categories:
    statistical anomaly detection, rule-based anomaly detection, and rule-based
    penetration identification. The new methods discussed in this paper do not fit in
    any of these categories! For this reason we need to take a fresh perspective on
    system designs and we introduce a different way to think of system design
    approaches.
    In this new view, IDSs can be characterized by: where they live, what you have to
    tell them, what they look for, which technologies they use, and what they tell you.
    We discuss these in the following paragraphs.

       Where they live… There are several choices of hosts for an IDS as depicted in
    Figure 3 below. These include the standard network elements including routers,
    hubs, servers, and client systems.




                                     SMTP
                   DNS               POP




                  HTTP
                  FTP




             Figure 3. Possible hosts for an IDS Include Many Network Locations

       The first possible host for an IDS is on the computer(s) being protected. This
    poses scaling problems for large networks, as well as installation, configuration,
    and management issues for distributed IDS operation. It also suffers from the
    worst visibility of related network activity. On the positive side, however, it does
    have the best visibility of the IDS host computer.

        Another and potentially better IDS host is a separate processor strategically
    attached to the network. This approach has advantages for large networks,
    including installation, configuration, management. It also has the best visibility
    of the overall network.




                                              4
New Methods of Intrusion Detection                 Technology for Information Systems Security – May, 1996


        What you have to tell them … The fundamental problem is the detection
    criteria for an “intrusion”. This can include scenarios of attack or penetration
    based upon historical information, normal user profiles, and expected system
    usage patterns.

       What they look for … In looking for intrusions, an IDS examines records such
    as computer log files which give historical usage data, or ongoing process activity
    information from the operating system for real-time intrusion detection. These
    systems then look for matches with either known scenarios of attack or
    penetration; or the look for anomalies with anticipated user or system profiles. A
    good criteria needs to be predictive! This includes the recognition of novel attacks
    and methods.

    Recognizing Intrusions
       The fundamental problem in IDS design is really how to recognize the
    behavior associated with intrusions. A determined attacker effects his intrusion
    through a sequence of activities to achieve a desired result. Generally, each of
    these actions, viewed by itself is a normal legitimate activity. It is only when the
    sequence of an attack is assembled that the intruder's hostile objectives become
    clear.

       Intrusions can come in many ways. Consider the type of intruder in Figure 4
    who is conducting a systematic focused attack on a network over the Internet.
    Although this is not the only type of intruder, this is potentially one of the most
    dangerous. He has a source from which he is attempting to accomplish his
    malicious objectives using some initial knowledge of the target system. From his
    entry point, he will select specific elements in the targeted network; he will have
    some specific actions he intends to effect; and he will utilize some specific
    methods some of which we may have never seen before.




                         Internet

                                                          SMTP
                                                  DNS
                                                          POP




                                                  HTTP
                                                  FTP




            •        Sources                       •       Targets
            •        Objectives                    •       Actions
            •        Knowledge                     •       Methods

        Figure 4. The Class of Focused External Attackers is of Special Interest


                                              5
New Methods of Intrusion Detection                              Technology for Information Systems Security – May, 1996


       Which technologies they use … Technologies for IDS typically include Data
    Base Methods and Expert systems such as Rule-based, Case-based, or Neural
    networks. Another class of technologies includes Digital Signal Processing
    (DSP). DSP methods include both digital filters, and spectrum analysis.
    A good method needs to be adaptable!

    Digital Signal Processing (DSP)
       Digital signal processing is a technology-driven field. It typically includes
    methods of processing discrete-time signals or time series data sequences. These
    include digital filters and spectrum analysis.

        In assessing new potentially applicable technologies for intrusion detection, it
    is our premise that DSP is one with potentially high payoffs. DSP is widely used
    in many applications in electrical and computer engineering, including modern
    control systems, sensors and communications. Using modern statistical
    methods, time-series data are collected, filtered, correlated, and analyzed for
    many purposes including event detection. The recognition and characterization
    of computer network protocols has been among the applications successfully
    handled by DSP.

    Time Series Data
        Network traffic includes time series data in the form of structured sequences
    of ones and zeros. As shown below in Figure 5, the time series data contains
    patterns that implement the structures of the various nested protocols carrying
    the network traffic. Applying DSP methods to this traffic includes integrating
    time-series data streams with digital models designed to correlate or weight
    activities of interest and to filter out uninteresting activities, which may be
    combinations of external addresses and certain combinations of processes.

       01111110      11000000        XXXXXXXX   (INFO)   XXXXXXXXXXXXXXX     01111110      SLP
       01111110      10000000        XXXXXXXX   (INFO)   XXXXXXXXXXXXXXX     01111110      SLP
       01111110      11110000        XXXXXXXX   (INFO)   XXXXXXXXXXXXXXX     01111110      MLP
       01111110      11100000        XXXXXXXX   (INFO)   XXXXXXXXXXXXXXX     01111110      MLP

                    Figure 5. Network Traffic Can Be Viewed as a Time Series

    Protocol Analysis
       Statistical signal processing is one method of DSP that can be used to
    decompose protocol structures. In Figure 6 below we see that the HDLC and
    DDCMP protocols have recognizable features when viewed in the bispectrum
    generated through Cyclostationary Signal Processing. Cyclostationary Signal
    Processing is a powerful statistical method that identifies characteristics in time
    series autocorrelations. The independence of these features is illustrated below
    showing the combined presence of HDLC and DDCMP.




                                                           6
New Methods of Intrusion Detection                         Technology for Information Systems Security – May, 1996



                                     HDLC & DDCMP
                                     Combined (Log)




          DDCMP Only (Log)                                                           HDLC Only (Log)




                         Figure 6. Protocols Can Be Statistically Recognized
                                      Credit: Booz, Allen & Hamilton Inc.

    Control Loop Measurement
       The methods of DSP provide a powerful new tool in the recognition of patterns
    in network activity. This tool can implement general intrusion criteria. The
    authors believe that these include the concept of Control Loop Measurement.

        Hypothesis: There is a new intrusion detection criteria utilizing the signature
    of an intruder's control-loop. A control-loop is characterized by both observability
    (surveillance) in conjunction with controllability (process accesses and system
    calls). We illustrate how to quantify this control and how to apply the resulting
    measure to discriminate intruders from normal activities.

    Control-Loop Detection
       The field of Control Theory in electrical engineering includes the concepts of
    Observability and Controllability. Within this theory, a control system compares
    observations of a system’s state with desired states to generate corrections
    intended to steer the system being controlled toward the desired state. As shown
    in Figure 7 below, it is our premise that the activities of a focused external
    intruder can be viewed as a control loop.




                                                      7
New Methods of Intrusion Detection                         Technology for Information Systems Security – May, 1996




               Desired State         Observed State



                            Comparison



                              Required
                             Correction                                     Observability




                                                      Controllability



                 Figure 7. A Focused External Attacker Utilizes a Control Loop

       As shown in this figure, an attacker’s network activities are characterized by
    observability (surveillance) in conjunction with controllability (process access and
    system calls). We believe that “high control behavior” provides a useful metric for
    discriminating interesting activities that may be useful in recognizing intruders.
    We also believe that high control behavior can be statistically detected in the bi-
    directional data flows using the tools of DSP.

    Functional Concept
        The functional concept of a system using the new methods discussed above is
    illustrated in Figure 8 below. The system concept includes a sequence of
    processes acting on network traffic serving to generate real-time activity spectra.




                                                       8
New Methods of Intrusion Detection                           Technology for Information Systems Security – May, 1996




     Network
      Traffic         Data
                   Conditioning
                                          1000001011001111111001100011 …
                         Time-Series
                            Data          Statistical        y(t) = F{x(t)}
                                           Filtering
                                             Filtered
                                         Time-Series Data
                                                                   Correlation
                                                                    Process           Σ x(t)y(t)
                                       Intrusion
                 O [A] * C [A]           Model                              Feature
                                                                              Data        Detection
                                                                                           Process

                                                                                                   Activity
                                                                                                   Spectra


     Figure 8. A System Functional Concept Implements Control Loop Measurement

    Operational Concept
       The Control Loop Measurement functional concept can be implemented in
    several obvious ways. The notional figure below illustrates an implementation in
    a DSP board plugged into a slot in a main router. This implementation may be
    attractive for some installations due to the visibility it gives the IDS over all
    external traffic.




                         Internet

                                                                     SMTP
                                                            DNS
                                                                     POP




                                                            HTTP
                                                            FTP




                         Intrusion Detection


          Figure 9. A Router-Based Implementation of Control Loop Measurement


                                                       9
New Methods of Intrusion Detection                Technology for Information Systems Security – May, 1996


       What they tell you … Likely outputs from a Control Loop Measurement IDS
    include Spectral analysis and presentations of high degrees of observability and
    controllability, the instantaneous distribution of external connections, internal
    distribution of significant correlated connections, and scale indicators of
    suspicious activity.

    Benefits
       In this paper we have discussed a concept and rationale for a class of new
    methods of intrusion detection. Potential benefits of these new methods include
    higher detection probability, lower false alarm rate, more timely warning (real-
    time), lower processing burden, lower management burden, reduced demand for
    a priori data, more secure, less cumbersome, wider applicability, and better
    coverage zones.

    Summary
        Our paper presented a summary of the needs for advanced intrusion detection
    systems. This reflects the growing recognition of the inherent penetrability of any
    networked computer system. The objective of any intrusion detection system is to
    generate alarms and warning data whenever likely break-ins are suspected. The
    ideal intrusion detection system is timely, has a high probability of detection, low
    false-alarm rate, provides useful attack characterization data, and is scaleable to
    large (infinite) networks such as the Internet. Additionally, it must operate with
    a minimum of a priori information about potential attackers and their methods.

        Digital Signal Processing (DSP) is in wide use in many applications of
    electrical and computer engineering, including modern control systems, sensors
    and communications. Using modern statistical methods, time-series data is
    collected, filtered, correlated, and analyzed for many purposes including event
    detection. The recognition and characterization of computer network protocols
    has been among the applications successfully handled by DSP. We illustrated
    these methods with selected examples.

        A determined attacker effects his intrusion through a sequence of activities to
    achieve a desired result. Each of these actions, viewed by itself may be a normal
    legitimate activity. It is only when this sequence is assembled that the intruder's
    hostile objectives become clear. The core of the intrusion detection problem is how
    to recognize this behavior. We described a new criteria based upon detection of the
    intruder's control-loop. In general, a control-loop is characterized by both
    observability (surveillance) in conjunction with controllability (process launches
    and system calls). We illustrated how to quantify this control and how to apply the
    resulting measure to discriminate intruders from normal activities.

       Finally we described the use of Control-Loop detection in an intrusion detection
    system and describe its benefits over alternative technologies.




                                             10

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:11/27/2012
language:
pages:10