2 Network Intrusion Simulation Using Opnet

Document Sample
2 Network Intrusion Simulation Using Opnet Powered By Docstoc
					                      Network Intrusion Simulation Using OPNET
                                        Shabana Razak, Mian Zhou, Sheau-Dong Lang*
                                         School of Electrical Engineering & Computer Science
                                             and National Center for Forensic Science*
                                           University of Central Florida, Orlando, FL 32816
                                              E-mail: {srazak, mzhou, lang}@cs.ucf.edu

Network intrusion detection and network security are important                 Some systems provide additional features, including:
issues faced by the IT industry. Hackers apply an array of                     • Automatic installation of vendor-provided software
techniques to cause disruption of normal system operations, but                     patches.
on the defense, the firewalls and practical intrusion detection                • Installation and operation of decoy servers to record
systems (IDS) nowadays are only effective in defending known                        information about intruders.
intrusions using their signatures, and far less than mature when               The combination of these features allows system managers
faced with novel attacks. Our work deals with simulation of               to more easily handle the monitoring, audit, and assessment of
intrusion traffic by explicitly generating data packets based on          their systems and networks. This ongoing assessment and audit
real-life TCPDUMP data that contain intrusion packets. The                activity is a necessary part of sound security management
explicitly generated traffic in OPNET simulation allows research          practice.
on data filtering and intrusion detection strategies. In this paper            Most security measures employed are not 100% secure.
we report experimental studies of simulation efficiency and               Intrusion detection systems can help security analysts find if an
network performance of simulated networks using a firewall to             attack has taken place, either in real time or immediately after
capture Denial-of-Service (DOS) attacks.                                  the attack. One of the challenges faced by the security managers
                                                                          is how to identify network intrusions and how to evaluate the
Keywords: network intrusion detection, intrusion simulation,              effectiveness of IDS.
DOS attacks, TCPDUMP
                                                                          3. Simulation of Network Intrusion
1. Introduction                                                           Intrusion detection algorithms are typically effective in detecting
Providing access to network services and to the Internet, an              intrusions of known signatures, but poor in detecting new
organization offers many benefits to itself and its staff. However,       attacks. Studying and testing a new intrusion detection algorithm
the more access that is provided, the greater is the danger of            against a variety of (perhaps simulated) intrusive activities under
increased vulnerability for hackers to exploit.                           realistic background traffic is an interesting and difficult
     Computer intrusions are occurring almost routinely, and              problem. Such studies can be performed either in a real
have become a major issue of our networked society. How to                environment or in a simulated environment [8]. We now briefly
detect intrusions presents a big challenge to every organization,         summarize these two approaches of simulating intrusion and
which includes selecting the IDS software, assessing the                  their relative merits, followed by a description of our approach.
tradeoffs between the risks and cost factors, etc.
     Our research is focused on the studies of network intrusions         3.1 Simulation in Real Environments
and their effects on the network in a simulated environment. In           In this approach many real users produce significant background
this paper we report our experimental results of network                  traffic by using a variety of network services, e.g., mail, telnet,
performance measures and simulation efficiency of networks                etc. This background traffic is collected and recorded, and
under the DOS attacks, all simulated using OPNET.                         intrusive activities can be emulated by running exploit scripts.
                                                                          The advantage of this approach is that the background traffic is
2. Network Intrusion Detection                                            sufficiently realistic, which eliminates the need of analyzing and
Intrusion detection systems are used to help computer systems             simulating the patterns of normal user activities. However, the
prepare for and deal with attacks. This goal is accomplished by           following drawbacks have been reported [8]:
collecting information from a variety of system and network                    • The testing environment may be exposed to the attacks
sources, then analyzing the information for symptoms of security                    from the Internet, in addition to the simulated attacks.
problems [4, 6]. In some cases, intrusion detection systems allow              • The inaccuracy of the results may increase if the
the user to specify real-time responses to the violations.                          background traffic contains unexpected intrusive data
Following are some of the functions an IDS provides:                                originated from outside sources.
     • Monitoring and analysis of user and system activity.                    • Normal system operations could be interrupted by
     • Auditing of system configurations and vulnerabilities.                       simulated attacks.
     • Assessing the integrity of critical system and data files.
     • Recognition of activity patterns reflecting known                  3.2 Simulation in Experimental Environments
         attacks.                                                         Most researchers perform testing and studies in experimental or
     • Statistical analysis for abnormal activity patterns.               simulated environments, due to the high risk of performing tests
     • Operating system audit trail management, with                      in a real environment [8]. In this approach realistic background
         recognition of user activity reflecting policy violations.       traffic can be generated in the following three ways. (1)
employing humans to manually perform whatever occurs in a                  “urg” flag set. We used the data of the TCPDUMP outside file
real environment; (2) using simulation scripts to generate data            (1999/week5/Monday data set) from MIT/Lincoln Lab which
conforming to the statistical distributions of background traffic          contains Dosnuke attack packets [2].
in a real environment; and (3) collecting from a real environment
and replicating in the simulated environment. The disadvantages            4.2 Customizing Data Packet Format
of studying intrusions in simulated environments include:                  We defined our own packet format in the OPNET simulation.
     • The overload of manually producing background traffic               The packet corresponds to the IP header, which includes the IP
          involving many users can be very high.                           addresses, port numbers, the flags, and a few other fields.
     • The behaviors of real users are difficult to model, and
          there are no standardized statistical distributions of the       4.3 Pre-processing Source Traffic File
          background traffic.                                              Before we could build the simulated network model using
                                                                           OPNET, we need to first pre-process the TCPDUMP file (or
3.3 Our Approach to Intrusion Simulation                                   Ethereal file) to extract pertinent information, including:
We use OPNET to build the simulated network environment.                       • The packet inter-arrival times, which are saved as a list
The network traffic source comes from the MIT/Lincoln Lab                           of double-type values.
TCPDUMP files, which contain intrusion traffic simulating                      • The time duration, which is the time difference between
various network attacks [2]. Alternatively, we could use                            the first packet and the last packet of the traffic source.
software tools such as NMAP [5] to generate attacks while                      • A list of the distinct IP addresses in the traffic source.
running a network sniffer such as Ethereal [1] to capture the
network traffic, with the attack and network sniffing activities all       4.4 Building Network Models
occurring in a controlled lab environment. The captured                    Figure 1 shows the OPNET model for simulating the Dosnuke
Ethereal file which includes the attack data and normal user data          attack. There are 10 virtual PC nodes arranged into two columns
if desired, can be used in our intrusion simulation experiment.            in the figure: PC 0 – 4 on the left side and PC 5 – 9 on the right
     For both the TCPDUMP file and Ethereal file, we use our               side. The top node in the center column is the “generator”, which
own pre-processing tools to extract the traffic information that is        prepares the packets extracted from the traffic source. Once a
necessary for OPNET simulation. Our tools can parse the                    packet is ready, it is given to its source PC node, and from there
TCPDUMP file and Ethereal file, extracting the data packet                 it will be sent to the destination PC node through the hub
headers, the flag information, and the time distribution. (We              (located at the bottom of the center column). There is no delay
haven’t included the packet payload into the simulation at this            between the generator and the end PC nodes, so the traffic flow
point but that is certainly possible.) The OPNET software                  is consistent with the captured traffic source.
provides an ACE (Application Characterization Environment)                      The number of the virtual PCs is the outcome of pre-
module which can be used to import packet traces into                      processing the source traffic file. Since there are 10 distinct IP
simulation, supporting packet formats of various sources                   addresses in the source, the model uses 10 PC nodes connected
including TCPDUMP files [7]. We are using our approach                     to each other through a hub. Node 0 (the top node in the right
because of the flexibility of selecting parts of the data packets          side column) is the “hacker”, and node 1 (below node 0 in the
and slicing large data files into more manageable pieces prior to          figure) is the “victim” of the Dosnuke attack. There is a
simulation.                                                                “firewall” node between the victim and the hub which we use to
                                                                           capture suspicious data packets to or from the victim using the
4. Simulation Models using OPNET                                           Dosnuke attack’s signature.
We are using OPNET for our research because of the several
benefits it offers. OPNET provides a GUI for the topology
design, which allows for realistic simulation of networks, and
has a performance data collection and display module.. Another
advantage of using OPNET is that it has been used extensively
and there is wide confidence in the validity of the results it
produces. OPNET enables realistic analysis of performance
measures and the effectiveness of intrusion detection techniques.
In a similar work, OPNET was used in a performance study of
an intrusion detection system using statistical preprocessing and
neural network classification [9]. One of our research goals is to
study techniques that can speed up OPNET simulation for large
data files suspected of intrusion attacks.

4.1 Generating Intrusion Data
We first use the Dosnuke attack as an example to illustrate the
process of our intrusion simulation. Dosnuke is a type of the
denial-of-service attacks which sends Out-Of-Band data                         Figure 1: The network model simulating Dosnuke intrusion
(MSG_OOB) to port 139 (NetBIOS) of a Windows NT system,
causing the victim to crash (blue screens the machine) [3]. The                 The node domain of the “generator” is shown in Figure 2.
attack can be detected by searching the sniffed data for a                 There is a generator module (pk_generator) configured to use a
NetBIOS handshake followed by NetBIOS packets with the                     script file of inter-arrival times for generating the packets. The
script file is the result of pre-processing the traffic source.            for packets sent to port 139 (NetBIOS) of the victim PC with the
Figure 3 shows the attribute panel of pk_generator.                        “urg” flag set in the packet header.
                                                                                The pre-processing tools we developed can be reused for
                                                                           simulating other types of intrusion attacks. To demonstrate, we
                                                                           also simulated the ProcessTable DOS attack using the
                                                                           MIT/Lincoln Lab TCPDUMP files. We needed to set up a
                                                                           network in OPNET using 20 PC nodes because there are 20
                                                                           distinct IP addresses involved in the traffic source. We also
                                                                           modified the intrusion detection logic of the firewall node using
                                                                           the new attack’s signature, and added the corresponding
                                                                           statistical measures to the OPNET simulation. The results of the
                                                                           simulations are described in the following section.

                                                                           5 Analysis of Simulation Results

                                                                           5.1 The Dosnuke Attack
                                                                           The source traffic data for the Dosnuke attack comes from the
                                                                           MIT/Lincoln Lab TCPDUMP outside file, 1999/week5/Monday
    Figure 2: The node structure of the packet generator                   data set. This data set includes the initial 5 minutes of data, and
                                                                           only one type of the attack. In our experiment, we pre-processed
                                                                           the source file, and extracted less than 3 minutes of data
                                                                           containing a total of 367 TCP packets. There were 10 packets
                                                                           captured by the firewall node due to the Dosnuke attack, 9 of
                                                                           which were sent from the attacker node to the victim and one
                                                                           sent from the victim back to the attacker.
                                                                                We set up several statistical measures in OPNET to study
                                                                           the performance of the intrusion simulation. For example, Figure
                                                                           5 depicts the IP address distributions of the data packets during
                                                                           the entire simulation, where the IP addresses correspond to the
                                                                           PC node numbers 0 – 9 of the y-axis. The figure clearly
    Figure 3: The attribute panel of “pk_generator”                        demonstrates patterns of consecutive accesses to the same IP
                                                                           addresses during several short intervals of the simulation
     Within the “dispatch” module of the generator node in                 although these accesses are irrelevant to the Dosnuke attack.
Figure 2, the traffic source file is parsed and the next data packet
extracted. Whenever a packet arrives from “pk_generator”, its
fields are set according to the corresponding values of the data
packet from the source traffic, e.g., the destination, flags, etc.
Then, the packet is sent to the PC node corresponding to the
source IP address. Thus, the packet arrival time and its contents
will match the information as in the original traffic source.

                                                                               Figure 5: IP address Distribution of data packets

                                                                                Figure 6 depicts the rates of data packets captured by the
                                                                           firewall. The occurrences of the packets and the times of their
                                                                           arrivals are clearly shown in the figure – there were a few rapid
                                                                           arrivals in the beginning, followed by 3 more at later times. This
                                                                           figure demonstrates the occurrences of the Dosnuke attack and
    Figure 4: The structure of the virtual PC in process domain            its capture by the firewall.

     Figure 4 depicts the process domain for each virtual PC,
which supports the packet streams in and out. We also set up a
firewall between the hub and the victim of the dosnuke attack.
The firewall uses a simple signature-based detection which looks
    Figure 6. The inbound traffic of the firewall                            Figure 8: Number of distinct port connections to victim

    We also collected statistics of the overall network traffic,              The ProcessTable attack can also be directed at a particular
which is depicted in Figure 7, although this performance                 port of the victim. Figure 9 depicts the network traffic directed
measure seems irrelevant to the Dosnuke attack.                          to Port 25 of the victim during simulation. The graph displays
                                                                         two peaks: the first occurred around the one-minute mark; the
                                                                         second started after one minute 20 seconds and lasted to the end.
                                                                         Thus, the two figures 8 and 9 clearly demonstrated data packets
                                                                         that are suspicious of the ProcessTable (or similar) attacks.

    Figure 7: The overall network traffic during simulation

5.2 The ProcessTable Attack
To demonstrate the reusability of our pre-processing tools and to
demonstrate our intrusion simulation methodology, we also
simulated the ProcessTable DOS attack. This attack aims at                   Figure 9: Data traffic to Port 25 of the victim PC
filling up the process table of the underlying operating system,
rendering the system lifeless until the attack terminates or when        5.3 Evaluation of Simulation Efficiency
the system administrator kills the attacking processes [3]. The          Another goal of our research of intrusion simulation is to study
ProcessTable attack can be detected by recording a large number          the simulation efficiency, that is, how to speed up the simulation
of connections to a particular port of the victim node during a          and intrusion detection of intrusion traffic for large data files.
short period of time.                                                         We first used the data file of the Dosnuke attack and
      In our simulation, we used the MIT/Lincoln Lab                     simulated the data packets and intrusion detection of different
TCPDUMP file that contains the ProcessTable attack packets,              time durations. All simulations were performed on a Pentium 4
extracted the pertinent information using our pre-processing             PC, with a 1.5 GHz CPU and 256 MB RAM.
tools, then set up the simulation in OPNET. There are slightly                Figure 10 plots the OPNET simulation time running the data
less than 2 minutes of data with a total of 5526 data packets. We        files of durations ranging from 30 seconds through 131 seconds,
collected two statistical measures at the firewall node attempting       at an increment of 30 seconds. Since there are only a few
to detect and identify the ProcessTable attack.                          hundred data packets (367 exactly), all simulation runs
      Figure 8 depicts the number of distinct port connections to        completed within one second.
the victim PC during simulation. It can be seen very clearly that
there are 3 jumps in the graph, indicting rapid increases of port
connections to the victim during 3 distinct time intervals.

                                                                                                    information; slicing the data sets based on certain criteria
                                              OPNET Simulation Time                                 without degrading the effectiveness of the IDS, etc.
                                                                                                         As future work, we plan to enhance our pre-processing tools
        OPNET simulation time in   1.2
                                                                                                    so that they can be applied to the source data files to improve the
                                                                                                    simulation efficiency. We also plan to include the payload of the

                                                                                                    data packets into the simulation, and study the effects on the
                                                                                                    simulation efficiency and on the intrusion detection capability.

                                          30           60        90          120         131

                                               Time duration of souce data in seconds
                                                                                                    [1] Gerald Combs, Ethereal – Network Protocol Analyzer,
                                                                                                    [2] DARPA Intrusion Detection Evaluation project, at
    Figure 10: OPNET simulation time of the Dosnuke attack
                                                                                                    [3] Kristopher Kendall, “A Database of Computer Attacks for
     We also ran the simulations of the ProcessTable attack file
                                                                                                        the Evaluation of Intrusion Detection Systems”, Master's
of different time durations to measure the simulation efficiency.
                                                                                                        Thesis, Massachusetts Institute of Technology, 1998.
Figure 11 plots the OPNET simulation time running the data
                                                                                                    [4] David J. Marchette, Computer Intrusion Detection and
files of durations ranging from 30 seconds through 114 seconds,
                                                                                                        Network Monitoring, Springer-Verlag, 2001.
at an increment of 30 seconds. There are a total of 5526 data
                                                                                                    [5] NMAP, at http://www.insecure.org.
packets in the entire file (114 seconds). We notice that the
                                                                                                    [6] Stephen Northcutt, Judy Novak, Network Intrusion
simulation time increases approximately linearly as the time
                                                                                                        Detection: An Analyst’s Handbook, 2nd ed., New Riders,
duration of the source file increases. Thus, the simulation
efficiency can become a significant factor when we try to
                                                                                                    [7] OPNET online documentation 8.0.C, OPNET Technologies,
quickly detect intrusions that involve large data files.
                                                                                                        Inc., Washington DC.
                                                                                                    [8] Tao Wan, Xue Dong Yang, “IntruDetector: A Software
                                              OPNET Simulation Time                                     Platform for Testing Network Intrusion Detection
                                                                                                        Algorithms ”, http://www.acsac.org/2001/papers/54.pdf .
                                   12                                                               [9] Zheng Zhang, Jun Li, C.N. Manikopoulos, Jay Jorgenson,
        OPNET simulation time in

                                   10                                                                   Jose Ucles, “HIDE: A Hierarchical Network Intrusion
                                                                                                        Detection System Using Statistical Preprocessing and

                                                                                                        Neural Network Classification”, in Proceedings of 2001
                                                                                                        IEEE Man Systems and Cybernetics Information Assurance
                                                                                                        Workshop, 2001.

                                         30       60        70   80     90         100    114
                                              Time duration of source data in seconds

    Figure 11: OPNET simulation time of the ProcessTable

6. Conclusions and future work
In this paper we reported experimental results of network
intrusion simulation using previously captured TCPDUMP data
as the traffic sources. We demonstrated the use of pre-processing
tools to facilitate intrusion simulation using the OPNET
software. Our work demonstrated several applications of
intrusion simulation using OPNET:
(1) Detecting intrusions by displaying and identifying patterns
     of suspicious data packets, employing various intrusion
     detection techniques in a firewall;
(2) Analyzing network performance and the overhead trade-offs
     of intrusion detection algorithms; and
(3) Evaluating the effectiveness of the IDS algorithms.
     Our work also pointed out the is sue and challenge of
improving simulation efficiency, especially for large data files
which are common in today’s work place. Possible solutions
include reducing the data sets by extracting only pertinent


mrk2008 mrk2008 http://