Get documents about "Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables
Description
The International Journal of Computer Science and Information Security is a monthly periodical on research articles in general computer science and information security which provides a distinctive technical perspective on novel technical research work, whether theoretical, applicable, or related to implementation. Target Audience: IT academics, university IT faculties; and business people concerned with computer science and security; industry IT departments; government departments; the financial industry; the mobile industry and the computing industry. Coverage includes: security infrastructures, network security: Internet security, content protection, cryptography, steganography and formal methods in information security; multimedia systems, software, information systems, intelligent systems, web services, data mining, wireless communication, networking and technologies, innovation technology and management. Thanks for your contributions in July 2010 issue and we are grateful to the reviewers for providing valuable comments. IJCSIS July 2010 Issue (Vol. 8, No. 4) has an acceptance rate of 36 %.
Document Sample
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
Framework for vulnerability reduction in real
time intrusion detection and prevention systems
using SOM based IDS with Netfilter-Iptables
Abhinav Kumar Kunal Chadha Dr. Krishna Asawa
X-Scholar, CSE Department X-Scholar, CSE Department Associate Prof., CSE/IT Department
Jaypee Institute of Information Jaypee Institute of Information Jaypee Institute of Information
Technology, Deemed University Technology, Deemed University Technology, Deemed University
Noida, India Noida, India Noida, India
abhinavjiit@yahoo.co.in id.kunal@gmail.com krishna.asawa@jiit.ac.in
Abstract— Intrusion detection systems and Intrusion Prevention time. But it has its own limitations such as it can’t do the
system are few of the possible ways for handling various types of session based detection which uses multiple packets [2]. In a
attacks or intrusions. But the credibility of such systems itself are network based IDS, packets are examined both according to
at stake. None of the existing systems can assure you, your safety. header and payload searching for attack signatures, stored in
In this paper we propose integration of SOM based intrusion
the IDS Attack signature database, which is the vital part of
detection system with an intrusion prevention system in the
Linux platform for preventing intrusions. We propose a any IDS software [4] but it becomes inefficient when we talk
framework for reducing the real time security risks by using Self- about blocking those attacks and hence can easily enter into a
organizing maps for intrusion detection accompanied by packet system. Each of such system is passive in reporting such
filtering through Netfilter-Iptable to handle the malicious data intrusions and hence do not provide real time security.
Packets.
For handling such situations we propose a real time system
Keywords-Intrusion Detection System, SOM. that consists of an intrusion detection system based on Self
organizing maps, for tracing down the malicious packets along
I. INTRODUCTION with handling those packets through an intrusion prevention
In today’s world every computer is vulnerable, nothing is system in the Linux environment. Self-organizing maps is an
secure, but the quest of mankind for that ideal security is still unsupervised way of learning and has the ability to express
going on. Internet and other ways of communication over topological relationships [22]. The hypothesis is that typical
network are proving to be boon as well as bane. Boon, when it connection characteristics will be emphasized – densely
is providing new dimensions to the business and bane with its populated regions of the map – whereas atypical activities will
harmful effects of intrusions into various networks. Every now appear in sparse regions of the topology [22]. Selection of
& then we witness various types of attacks and keep banging SOM for intrusion detection is also guided by its robustness
our heads in solving them. As soon as one computer is with regard to the choice of the number of classes to divide the
connected to another computer there is an addition of the data into, and is also resistant to the presence of outliers in the
possibility that someone using the other computer can access training data, which is a desirable property: in the real-world
our computer's information, eventually leading to intrusions. situations, the training data could already contain attacks or
Some recent surveys show that cyber attacks targeted to the anomalies and the algorithm must be capable of learning
networks are no longer an unlikely incident that only occurs to regular patterns out of a “dirty” training set [25]. Detection
few exposed networks of organizations in the limelight. In the will be followed by prevention by using Netfilter-Iptables
struggle to both maintain and implement any given IT security available in Linux environment [3]. Our system blocks the
policy, professional IT security management is no longer able malicious data packet as soon as they are detected, without
to ignore these issues, as attacks are more frequent and any external help, in real time.
devastating; the commercial success is directly related to the
safe and reliable operation of their networks [4]. This paper is organized in various sections in which we
discuss the existing intrusion detection system as well as
Intrusion is an action to attack the integrity, confidentiality and intrusion prevention systems. This is followed by description
availability of the system resources [3]. Intrusion detection of framework which consists of training of SOM, usage of
systems were developed for this cause so that they can detect netfilter-iptables for packet filtering.
the malicious data packets traveling on the network in real
.
229 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
II. EXISTING INTRUSION DETECTION SYSTEM router by analyzing and comparing with filter-rules [16]. In
Scientist and researchers had been continuously working for order to have proper security the IPS should fulfill the
quite a few years for the development of a perfect intrusion criterions like- it must be a part of communication link and
detection system (IDS) that can’t be bluffed. Its main job is to supported by dedicated hardware, it should actively detect the
monitor, analyze, detect and respond to the intrusions to the intrusions in real time and should block those intrusions
information systems [5]. Intrusion detection systems can be instantaneously.
broadly categorized into signature based and anomaly IV. PROPOSED FRAMEWORK
detection systems. It may be passive. Signature based IDS
look for attack signatures, specific patterns of network traffic The proposed framework for efficient intrusion detection-
or activity in log files that indicate suspicious behavior. protection system is an integration of SOM based intrusion
Signature-based methods rely on a specific signature of an detection system working in coherence with netfilter-iptable
intrusion which when found triggers an alarm [6, 7]. Now based firewall. Self Organizing maps being an unsupervised
coming on to its sub categories-if an IDS searches for way of learning are one of the best choices for intrusion
suspicious attack signatures on the traffic flowing on the detection because it clearly identifies the “odd” phenomenon
network then it is named as Network intrusion detection even in vast amount of observations, which is its core
systems (NIDS) and when the same is done by looking at log property. Apart from this, it does not require a priori
file of hosts, it is termed as Host intrusion detection systems knowledge inputs.
(HIPS) [4]. HIDS is mostly deployed in e-commerce
environments for securing the sensitive data. But it serves the The DARPA 1998 Intrusion Detection Evaluation data set
purpose only at the host level. NIDS performs the search for consists of about 5 million connections of labeled training data
attack signatures at the packet level and as soon as a match is and 2 million connections of test data [23]. This data consists
found, an alarm gets raised. The anomaly detection IDS uses of the values of all 41 features of a data packet along with its
statistical techniques to detect penetrations and attacks that labeling into categories of normal, smurf, Neptune etc. These
begins with the establishment of base-line statistical behavior 41 features consist of Basic TCP features, Content features,
that what is the normal behavior for this system. After that it Time-based traffic features; and Host-based traffic features
captures new statistical data and measure, for finding the [24]. Since the proposed work is data driven unsupervised
deviation from the base line. Once a threshold is exceeded, an from of learning hence out of those 41 features only 6 having
alarm is generated [4]. basic TCP information are required, namely-duration of
connection, protocol type (tcp/udp), service(HTTP etc.),
All the above-mentioned IDS’s suffer from few serious destination bytes, source bytes and the value of flag. Hence
limitations. As the attack-trails is increased, it became difficult SOM based IDS will have 6 inputs and classifies packets into
for network IDS or host IDS to detect the attacks with a limited three clusters-normal, smurf and Neptune, the latter two being
capability [9]. Some of them are 1) High misinformation rate-is the attacks. Once this network gets trained with this data, it is
a bulky log and real-time prevention problems that has not yet ready for detecting the malicious packets.
been solved efficiently [3]. An alarm gets raised even if there
was no attack (false positive) and no alarm even if there is as
an attack (false negative). Hence there is need for a more exact • Why SOM for intrusion detection?
and effective access control policy [8]. Hence in anomaly Intrusions done by an unknown program leads to disasters
detection methods, the base line needs to be adjusted because of their unknown behavior & characteristics.
dynamically. 2) Once an IDS gets attacked then it allows the Although we can find out its characteristics but they remain a
attacker to move freely on the network [8] .3) There is no way mystery for us. So we need to classify it into the normal and
by which an IDS can block an attacker, it remains confined the abnormal states [11]. Now the problem gets reduced to
only to its primary job of detection. defining normal and the abnormal states.
III. INTRUSION PREVENTION SYSTEM The architecture of Self organizing maps was developed by
Teuvo Kohonen at the University of Helsinki. Self organizing
Intrusion prevention system (IPS), also known as Network maps are provided only with a series of input patterns and it
Defense System (NDS), is a system in which firewall is tightly learns for itself how to group these together so that similar
coupled with IDS and it can react to the changes of the
network environment [8]. It can be either in the form of patterns produce similar outputs. It consists of a single layer
software or hardware providing help in blocking of illegal of cells, all of which are connected to a series of inputs. The
external attack, preventing the loss, destroy and change of inputs themselves are not cells and do no processing - they are
internal information from illegitimate users through Internet, just the points where the input signal enters the system [14] as
and helping internal information to be provided to the outside shown in Figure 1.
safely. It is an active protection process to prohibit from
incoming of illegal traffics and permit only the authorized
traffics [17]. IPS is located in the rear section of router
generally and keeps a check on the forwarded packets to the
.
230 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
function type [15]. Along with the learning rate, the
neighborhood radius decreases as well.
4) In the updating phase the synaptic weight vectors of all the
neurons is updated by using the formula
w j(n + 1) = w j(n) + n(n) h j ,i (x)(n) (x(n) - w j(n)) -----
---------- Formula 2
where n(n) is the learning-rate parameter, which has been set
to 0.1 and h j ,i (x)(n) is the neighborhood function centered
around the winning neuron i(x); both n(n) and h j ,i (x)(n) are
varied dynamically during learning for best results [14].
5) We continue with step 2 until no noticeable changes in the
x1 feature map are observed or for given number of iterations
(generally is fixed, in our case it is 50000).
After training, SOM becomes ready to categorize the packets
xN in three different categories, namely-smurf, Neptune and
Inputs Normal. After this phase the work of Intrusion prevention
system starts. The efficiency of IPS gets decreased because of
Figure 1 (Self Organizing Map)
certain limitations in its basis principles. IPS performs packet
filtering based on predefined rules, what if there is a novel
This network involves unsupervised learning and hence it attack? IPS has passive characteristics such that it can prevent
itself finds, what it needs to learn, without any external help. only the predefined rules and filter some kinds of packets [18].
In the area of intrusion detection systems, the use of Apart from this, it is also not able to detect an attack carried
unsupervised learning algorithms supports the detection of out from the internal network of an organization. We propose
anomalies [10, 12]. Moreover a learning algorithm can be to use Netfilter-Iptables for overcoming many such drawbacks
tuned totally to the specific network it operates into, which is of intrusion prevention systems.
also an important feature to reduce the number of false
positives and optimize the detection rate [12].
• Training the SOM • Netfilter-Iptable
The training of self organizing map involves sampling, Netfilter is a set of hooks inside the Linux kernel [18].
similarity matching and updating apart from the basic Netfilter is a framework that enables packet filtering, network
initialization of weights to very small values of the range 0 to address [and port] translation and other packet mangling. It
0.01 [13]. The learning process of SOM is as follows: performs packet filtering based on rules saved in packet
filtering tables in kernel space. The rules are grouped in
1) During initialization, the only restriction is that wj (0) be chains, according to the types of packets they deal with. Rules
different for j=1,2,…l, where l is the number of neurons in the dealing with incoming packets are added to the INPUT chain,
lattice. rules dealing with outgoing packets are added to the OUTPUT
chain and rules dealing with packets being forwarded are
2) It is followed by sampling where a sample vector x added to the FORWARD chain [20]. Other than these three
(representing activation pattern) is drawn from the input space chains there are other chains also like prerouting &
with certain probability and presented to the lattice. In the postrouting and user defined chains. As soon as a packet
proposed work, out of previously mentioned 41 features, the 6 comes to a chain, its next action is decided on that chain.
basic TCP information are presented to the network.
3) In similarity matching every node is examined to calculate When a packet perfectly matches with a rule, action performed
which one's weights are most like the input vector. The is ACCEPT and packet is allowed to go wherever it is destined
winning node is commonly known as the Best Matching Unit to(-j ACCEPT), DROP-packet will be blocked and no further
(BMU)/neuron. BMU is calculated by iterating through all the processing will be done on it (-j DROP), REJECT(similar to
nodes and calculating the Euclidean distance between each drop) but doesn’t leave dead sockets & sends back error
node's weight vector and the current input vector. Hence the message (-j REJECT) as shown in Figure 2 [21]. There are
BMU i(x) at time step n by using the minimum –distance few more actions that can be performed on the packets.
Euclidean criterion is:
i(x)=arg min j || x(n) – w j||, j=1,2,…, l
---------------- Formula 1
The node with a weight vector closest to the input vector is
tagged as the BMU. As the learning proceeds and new input
vectors are given to the lattice, the learning rate gradually
decreases to zero according to the specified learning rate
.
231 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
out by using libiptc (libiptc is a library to set the packet
filtering function in the Netfilter framework) [3] and can be in
the form of blocking that particular IP address or blocking
DROPed REJECTed
only that particular port as shown in Figure 3.
Comm. Channel
Sniffer:
Captures the
Incoming data packet
Packets Input chain ACCEPTed
Internal Transfer of 6
Forward chain Processes
Tcp features
Packets- ACCEPTed
Forward Output chain
Trained SOM
ACCEPTed based IDS
No
Figure-2 (Netfilter system) [21] Intrusion?
Yes
The iptables tool inserts and deletes rules from the kernel's Netfilter-iptable
packet filtering table [21]. ’Iptables’ is not a packet filtering firewall
tool itself. It is just a command tool of the Netfilter imported
in the kernel, and we should use this tool to make rules to
reflect current intrusion aspects [3]. Few of its commands are:
(-N) Creation of new chain, (-L) List the rules in a chain, (-F)
Block Ignore
Flush the rules out of a chain, (-A) Append a new rule to a
chain,(-I) Insert a new rule at some position in a chain, (-X)
delete an empty chain, (-D) delete a rule at some position in a
chain, or the first that matches etc. For example for deleting Comm. Channel
the rule1
# iptables -D INPUT 1 Figure-3 (Integrated Framework)
For blocking an IP address 192.168.1.1
# iptables -A INPUT -f -d 192.168.1.1 -j DROP
Now as soon as the SOM based IDS find an attack it generates V. CONCLUSION AND FUTURE WORK
an alert. Along with generating an alarm it also passes the
In this research we have investigated few of the intrusion
information, the port number and IP address of that malicious
detection and prevention systems and critically analyzed them.
packet to the netfilter-iptable firewall. Then the IPS (firewall)
We have explored the role of self organizing maps, an
decides how to deal with that packet according to the rules of
artificial intelligence technique for increasing the efficiency of
the kernel's packet filtering table. The decision regarding
intrusion detection systems. We also presented an extensive
dropping, accepting or rejecting the incoming packets is taken
study of Netfilter-Iptable for overcoming few of the
at this juncture after matching the packets with the predefined
limitations of existing intrusion prevention systems. Along
rules present in various chains (input, output, forward). And in
with this we finally proposed an integrated version of SOM
cases of indecision or if any rule is not present in packet
based IDS with netfilter-iptable firewall that do not require
filtering table, it updates the table by inserting additional rules
any external help in form of administrator for handling the
into it. This property of Netfilter-Iptable overcomes its
malicious data packets. During the research we focused only
limitation of handling only such packets for which predefined
on three classes-normal, smurf and Neptune. More practical
rules are available. This updation in the rules table is carried
.
232 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 4, July 2010
IDSs should have several attack types; therefore, it is possible, [23] The Third International Knowledge Discovery and Data Mining Tools
Competition,http://kdd.ics.uci.edu/databases/kddcup99.kddcup99.html,
as a future development to the present study, to include more May 2002.
attack scenarios in the dataset. We have taken only 6 basic tcp [24] W. Lee, S. J. Stolfo and K. W. Mok, “Mining in a data-flow
information of a packet for training our network for intrusion environment: experience in network intrusion detection,” in Knowledge
detection. Hence in future further improvements can be done Discovery and Data Mining, pp. 114-124, 1999.
by including more parameters of a data packet. [25] Stefano Zanero. Improving Self Organizing Map Performance for
Network Intrusion Detection, 2004
[26] Kunal Chadha and Abhinav Kumar, Thesis submitted as part of Network
Forensics Project, Jaypee Institute of information Technology
REFERENCES University, Noida.
[1] Kulesh Shanmugasundaram, Nasir Memon, Anubhav Savant, and Herve
Bronnimann. ForNet: A Distributed Forensics Network. V. Gorodetsky
et al. (Eds.): MMM-ACNS 2003, LNCS 2776, pp. 1–16, 2003.c _
Springer-Verlag Berlin Heidelberg 2003
[2] Bace, R.G.: Intrusion Detection. Macmillan Technical Pub (2000)
[3] Min Wook Kil, Seung Kyeom Kim, Geuk Lee and Youngmi Kwon. A
Development of Intrusion Detection and Protection System Using
Netfilter Framework. D. ´Slezak et al. (Eds.): RSFDGrC 2005, LNAI
3642, pp. 520–529, 2005.c_Springer-Verlag Berlin Heidelberg 2005
[4] Andreas Fuchsberger. Intrusion Detection Systems and Intrusion
Prevention Systems. 1363-4127 Published by Elsevier Ltd.doi:10.1016 /
j.istr.2005.08.00, 2005
[5] Jeong, B.H., Kim, J.N., Sohn, S.W.: Current Status and Expectation of
Techniques for Intrusion Protection System.
http://kidbs.it.nd.or.kr/WZIN/ jugidong/1098/109801.htm
[6] Ilgun, K., Kemmerer, R.A., and Porras, P.A.: State transition analysis:
A rule based intrusion detection approach. IEEE Transactions on
Software Engineering (March 1995)
[7] Kumar, S. and Spa.ord, E.H.: An application of pattern matching in
intrusion detection. Purdue University Technical Report CSD-TR-94-
013 (1994)
[8] Xinyou Zhang, Chengzhong Li and Wenbin Zheng. Intrusion prevention
system design. 0-7695-2216-5/04. IEEE(2004)
[9] Shim, D.C.: A trend of Intrusion Detection System. KISDI IT FOCUS 4.
Korea Information Strategy Development Institute (2001) 61-65
[10] U. Labib and V. R. Vemuri. Nsom: A tool to detect denial of service
attacks using self-organizing maps.
[11] Sahin Albayrak, Achim Muller, Christian Scheel and Dragan Milosevic.
Combining Self-Organizing Map Algorithms for Robust and Scalable
Intrusion Detection. Proceedings of the 2005 International Conference
on Computational Intelligence for Modelling, Control and Automation,
and International Conference on Intelligent Agents, Web Technologies
and Internet Commerce (CIMCA-IAWTIC’05), 2005.
[12] Stefano Zanero and Sergio M. Savaresi. Unsupervised learning
techniques for an intrusion detection system. SAC’04 March 14-17 2004,
Nicosia, Cyprus Copyright 2004 ACM 1581138121/ 03/04.
[13] http://richardbowles.tripod.com/neural/kohonen/kohonen.htm
[14] Haykin, Simon: Neural networks- a comprehensive foundation. Pearson
Education (4th Indian reprint, 2003)
[15] Liberios Vokorokos, Anton Balaz and Martin Chovanec. Intrusion
detection system using self organizing map. Acta Electrotechnica et
Informatica No. 1, Vol. 6, 2006
[16] Min Wook Kil, Si Jung Kim, Youngmi Kwon and Geuk Lee. Network
Intrusion Protection System Using Rule-Based DB and RBAC Policy.
IFIP International Federation for Information Processing, NPC 2004,
LNCS 3222, pp. 670-675, 2004.
[17] http://www.terms.co.kr, Dictionary of Computer Terms.
[18] Cho, D.I., Song, K.C., Noh, B.K.: Handbook of Analysis for Detection
of Network Intrusion and Hacking. Infobook (2001)
[19] http://www.netfilter.org/, netfilter /iptables project homepage–The
netfilter project
[20] ploug.eu.org/doc/s-netip.pdf
[21] http://www.netfilter.org/documentation/HOWTO/pt/packet-filtering-
HOWTO.txt
[22] Peter Lichodzijewski, A.Nur Zincir-Heywood and Malcolm I. Heywood.
Dynamic Intrusion Detection Using Self-Organizing Maps. CITSS, 2002
.
233 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
Related docs
Other docs by ijcsiseditor
Digital Images Encryption in Spatial Domain Based on Singular Value Decomposition and Cellular Automata
Views: 0 | Downloads: 0
Agent Behavior in Multiagent Systems: Issues and Challenges in Design, Development and Implementation
Views: 1 | Downloads: 0
Optimizing Cost, Delay, Packet Loss and Network Load in AODV Routing Protocols
Views: 2 | Downloads: 0
