Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables
The International Journal of Computer Science and Information Security is a monthly periodical on research articles in general computer science and information security which provides a distinctive technical perspective on novel technical research work, whether theoretical, applicable, or related to implementation. Target Audience: IT academics, university IT faculties; and business people concerned with computer science and security; industry IT departments; government departments; the financial industry; the mobile industry and the computing industry. Coverage includes: security infrastructures, network security: Internet security, content protection, cryptography, steganography and formal methods in information security; multimedia systems, software, information systems, intelligent systems, web services, data mining, wireless communication, networking and technologies, innovation technology and management. Thanks for your contributions in July 2010 issue and we are grateful to the reviewers for providing valuable comments. IJCSIS July 2010 Issue (Vol. 8, No. 4) has an acceptance rate of 36 %.
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables Abhinav Kumar Kunal Chadha Dr. Krishna Asawa X-Scholar, CSE Department X-Scholar, CSE Department Associate Prof., CSE/IT Department Jaypee Institute of Information Jaypee Institute of Information Jaypee Institute of Information Technology, Deemed University Technology, Deemed University Technology, Deemed University Noida, India Noida, India Noida, India firstname.lastname@example.org email@example.com firstname.lastname@example.org Abstract— Intrusion detection systems and Intrusion Prevention time. But it has its own limitations such as it can’t do the system are few of the possible ways for handling various types of session based detection which uses multiple packets . In a attacks or intrusions. But the credibility of such systems itself are network based IDS, packets are examined both according to at stake. None of the existing systems can assure you, your safety. header and payload searching for attack signatures, stored in In this paper we propose integration of SOM based intrusion the IDS Attack signature database, which is the vital part of detection system with an intrusion prevention system in the Linux platform for preventing intrusions. We propose a any IDS software  but it becomes inefficient when we talk framework for reducing the real time security risks by using Self- about blocking those attacks and hence can easily enter into a organizing maps for intrusion detection accompanied by packet system. Each of such system is passive in reporting such filtering through Netfilter-Iptable to handle the malicious data intrusions and hence do not provide real time security. Packets. For handling such situations we propose a real time system Keywords-Intrusion Detection System, SOM. that consists of an intrusion detection system based on Self organizing maps, for tracing down the malicious packets along I. INTRODUCTION with handling those packets through an intrusion prevention In today’s world every computer is vulnerable, nothing is system in the Linux environment. Self-organizing maps is an secure, but the quest of mankind for that ideal security is still unsupervised way of learning and has the ability to express going on. Internet and other ways of communication over topological relationships . The hypothesis is that typical network are proving to be boon as well as bane. Boon, when it connection characteristics will be emphasized – densely is providing new dimensions to the business and bane with its populated regions of the map – whereas atypical activities will harmful effects of intrusions into various networks. Every now appear in sparse regions of the topology . Selection of & then we witness various types of attacks and keep banging SOM for intrusion detection is also guided by its robustness our heads in solving them. As soon as one computer is with regard to the choice of the number of classes to divide the connected to another computer there is an addition of the data into, and is also resistant to the presence of outliers in the possibility that someone using the other computer can access training data, which is a desirable property: in the real-world our computer's information, eventually leading to intrusions. situations, the training data could already contain attacks or Some recent surveys show that cyber attacks targeted to the anomalies and the algorithm must be capable of learning networks are no longer an unlikely incident that only occurs to regular patterns out of a “dirty” training set . Detection few exposed networks of organizations in the limelight. In the will be followed by prevention by using Netfilter-Iptables struggle to both maintain and implement any given IT security available in Linux environment . Our system blocks the policy, professional IT security management is no longer able malicious data packet as soon as they are detected, without to ignore these issues, as attacks are more frequent and any external help, in real time. devastating; the commercial success is directly related to the safe and reliable operation of their networks . This paper is organized in various sections in which we discuss the existing intrusion detection system as well as Intrusion is an action to attack the integrity, confidentiality and intrusion prevention systems. This is followed by description availability of the system resources . Intrusion detection of framework which consists of training of SOM, usage of systems were developed for this cause so that they can detect netfilter-iptables for packet filtering. the malicious data packets traveling on the network in real . 229 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 II. EXISTING INTRUSION DETECTION SYSTEM router by analyzing and comparing with filter-rules . In Scientist and researchers had been continuously working for order to have proper security the IPS should fulfill the quite a few years for the development of a perfect intrusion criterions like- it must be a part of communication link and detection system (IDS) that can’t be bluffed. Its main job is to supported by dedicated hardware, it should actively detect the monitor, analyze, detect and respond to the intrusions to the intrusions in real time and should block those intrusions information systems . Intrusion detection systems can be instantaneously. broadly categorized into signature based and anomaly IV. PROPOSED FRAMEWORK detection systems. It may be passive. Signature based IDS look for attack signatures, specific patterns of network traffic The proposed framework for efficient intrusion detection- or activity in log files that indicate suspicious behavior. protection system is an integration of SOM based intrusion Signature-based methods rely on a specific signature of an detection system working in coherence with netfilter-iptable intrusion which when found triggers an alarm [6, 7]. Now based firewall. Self Organizing maps being an unsupervised coming on to its sub categories-if an IDS searches for way of learning are one of the best choices for intrusion suspicious attack signatures on the traffic flowing on the detection because it clearly identifies the “odd” phenomenon network then it is named as Network intrusion detection even in vast amount of observations, which is its core systems (NIDS) and when the same is done by looking at log property. Apart from this, it does not require a priori file of hosts, it is termed as Host intrusion detection systems knowledge inputs. (HIPS) . HIDS is mostly deployed in e-commerce environments for securing the sensitive data. But it serves the The DARPA 1998 Intrusion Detection Evaluation data set purpose only at the host level. NIDS performs the search for consists of about 5 million connections of labeled training data attack signatures at the packet level and as soon as a match is and 2 million connections of test data . This data consists found, an alarm gets raised. The anomaly detection IDS uses of the values of all 41 features of a data packet along with its statistical techniques to detect penetrations and attacks that labeling into categories of normal, smurf, Neptune etc. These begins with the establishment of base-line statistical behavior 41 features consist of Basic TCP features, Content features, that what is the normal behavior for this system. After that it Time-based traffic features; and Host-based traffic features captures new statistical data and measure, for finding the . Since the proposed work is data driven unsupervised deviation from the base line. Once a threshold is exceeded, an from of learning hence out of those 41 features only 6 having alarm is generated . basic TCP information are required, namely-duration of connection, protocol type (tcp/udp), service(HTTP etc.), All the above-mentioned IDS’s suffer from few serious destination bytes, source bytes and the value of flag. Hence limitations. As the attack-trails is increased, it became difficult SOM based IDS will have 6 inputs and classifies packets into for network IDS or host IDS to detect the attacks with a limited three clusters-normal, smurf and Neptune, the latter two being capability . Some of them are 1) High misinformation rate-is the attacks. Once this network gets trained with this data, it is a bulky log and real-time prevention problems that has not yet ready for detecting the malicious packets. been solved efficiently . An alarm gets raised even if there was no attack (false positive) and no alarm even if there is as an attack (false negative). Hence there is need for a more exact • Why SOM for intrusion detection? and effective access control policy . Hence in anomaly Intrusions done by an unknown program leads to disasters detection methods, the base line needs to be adjusted because of their unknown behavior & characteristics. dynamically. 2) Once an IDS gets attacked then it allows the Although we can find out its characteristics but they remain a attacker to move freely on the network  .3) There is no way mystery for us. So we need to classify it into the normal and by which an IDS can block an attacker, it remains confined the abnormal states . Now the problem gets reduced to only to its primary job of detection. defining normal and the abnormal states. III. INTRUSION PREVENTION SYSTEM The architecture of Self organizing maps was developed by Teuvo Kohonen at the University of Helsinki. Self organizing Intrusion prevention system (IPS), also known as Network maps are provided only with a series of input patterns and it Defense System (NDS), is a system in which firewall is tightly learns for itself how to group these together so that similar coupled with IDS and it can react to the changes of the network environment . It can be either in the form of patterns produce similar outputs. It consists of a single layer software or hardware providing help in blocking of illegal of cells, all of which are connected to a series of inputs. The external attack, preventing the loss, destroy and change of inputs themselves are not cells and do no processing - they are internal information from illegitimate users through Internet, just the points where the input signal enters the system  as and helping internal information to be provided to the outside shown in Figure 1. safely. It is an active protection process to prohibit from incoming of illegal traffics and permit only the authorized traffics . IPS is located in the rear section of router generally and keeps a check on the forwarded packets to the . 230 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 function type . Along with the learning rate, the neighborhood radius decreases as well. 4) In the updating phase the synaptic weight vectors of all the neurons is updated by using the formula w j(n + 1) = w j(n) + n(n) h j ,i (x)(n) (x(n) - w j(n)) ----- ---------- Formula 2 where n(n) is the learning-rate parameter, which has been set to 0.1 and h j ,i (x)(n) is the neighborhood function centered around the winning neuron i(x); both n(n) and h j ,i (x)(n) are varied dynamically during learning for best results . 5) We continue with step 2 until no noticeable changes in the x1 feature map are observed or for given number of iterations (generally is fixed, in our case it is 50000). After training, SOM becomes ready to categorize the packets xN in three different categories, namely-smurf, Neptune and Inputs Normal. After this phase the work of Intrusion prevention system starts. The efficiency of IPS gets decreased because of Figure 1 (Self Organizing Map) certain limitations in its basis principles. IPS performs packet filtering based on predefined rules, what if there is a novel This network involves unsupervised learning and hence it attack? IPS has passive characteristics such that it can prevent itself finds, what it needs to learn, without any external help. only the predefined rules and filter some kinds of packets . In the area of intrusion detection systems, the use of Apart from this, it is also not able to detect an attack carried unsupervised learning algorithms supports the detection of out from the internal network of an organization. We propose anomalies [10, 12]. Moreover a learning algorithm can be to use Netfilter-Iptables for overcoming many such drawbacks tuned totally to the specific network it operates into, which is of intrusion prevention systems. also an important feature to reduce the number of false positives and optimize the detection rate . • Training the SOM • Netfilter-Iptable The training of self organizing map involves sampling, Netfilter is a set of hooks inside the Linux kernel . similarity matching and updating apart from the basic Netfilter is a framework that enables packet filtering, network initialization of weights to very small values of the range 0 to address [and port] translation and other packet mangling. It 0.01 . The learning process of SOM is as follows: performs packet filtering based on rules saved in packet filtering tables in kernel space. The rules are grouped in 1) During initialization, the only restriction is that wj (0) be chains, according to the types of packets they deal with. Rules different for j=1,2,…l, where l is the number of neurons in the dealing with incoming packets are added to the INPUT chain, lattice. rules dealing with outgoing packets are added to the OUTPUT chain and rules dealing with packets being forwarded are 2) It is followed by sampling where a sample vector x added to the FORWARD chain . Other than these three (representing activation pattern) is drawn from the input space chains there are other chains also like prerouting & with certain probability and presented to the lattice. In the postrouting and user defined chains. As soon as a packet proposed work, out of previously mentioned 41 features, the 6 comes to a chain, its next action is decided on that chain. basic TCP information are presented to the network. 3) In similarity matching every node is examined to calculate When a packet perfectly matches with a rule, action performed which one's weights are most like the input vector. The is ACCEPT and packet is allowed to go wherever it is destined winning node is commonly known as the Best Matching Unit to(-j ACCEPT), DROP-packet will be blocked and no further (BMU)/neuron. BMU is calculated by iterating through all the processing will be done on it (-j DROP), REJECT(similar to nodes and calculating the Euclidean distance between each drop) but doesn’t leave dead sockets & sends back error node's weight vector and the current input vector. Hence the message (-j REJECT) as shown in Figure 2 . There are BMU i(x) at time step n by using the minimum –distance few more actions that can be performed on the packets. Euclidean criterion is: i(x)=arg min j || x(n) – w j||, j=1,2,…, l ---------------- Formula 1 The node with a weight vector closest to the input vector is tagged as the BMU. As the learning proceeds and new input vectors are given to the lattice, the learning rate gradually decreases to zero according to the specified learning rate . 231 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 out by using libiptc (libiptc is a library to set the packet filtering function in the Netfilter framework)  and can be in the form of blocking that particular IP address or blocking DROPed REJECTed only that particular port as shown in Figure 3. Comm. Channel Sniffer: Captures the Incoming data packet Packets Input chain ACCEPTed Internal Transfer of 6 Forward chain Processes Tcp features Packets- ACCEPTed Forward Output chain Trained SOM ACCEPTed based IDS No Figure-2 (Netfilter system)  Intrusion? Yes The iptables tool inserts and deletes rules from the kernel's Netfilter-iptable packet filtering table . ’Iptables’ is not a packet filtering firewall tool itself. It is just a command tool of the Netfilter imported in the kernel, and we should use this tool to make rules to reflect current intrusion aspects . Few of its commands are: (-N) Creation of new chain, (-L) List the rules in a chain, (-F) Block Ignore Flush the rules out of a chain, (-A) Append a new rule to a chain,(-I) Insert a new rule at some position in a chain, (-X) delete an empty chain, (-D) delete a rule at some position in a chain, or the first that matches etc. For example for deleting Comm. Channel the rule1 # iptables -D INPUT 1 Figure-3 (Integrated Framework) For blocking an IP address 192.168.1.1 # iptables -A INPUT -f -d 192.168.1.1 -j DROP Now as soon as the SOM based IDS find an attack it generates V. CONCLUSION AND FUTURE WORK an alert. Along with generating an alarm it also passes the In this research we have investigated few of the intrusion information, the port number and IP address of that malicious detection and prevention systems and critically analyzed them. packet to the netfilter-iptable firewall. Then the IPS (firewall) We have explored the role of self organizing maps, an decides how to deal with that packet according to the rules of artificial intelligence technique for increasing the efficiency of the kernel's packet filtering table. The decision regarding intrusion detection systems. We also presented an extensive dropping, accepting or rejecting the incoming packets is taken study of Netfilter-Iptable for overcoming few of the at this juncture after matching the packets with the predefined limitations of existing intrusion prevention systems. Along rules present in various chains (input, output, forward). And in with this we finally proposed an integrated version of SOM cases of indecision or if any rule is not present in packet based IDS with netfilter-iptable firewall that do not require filtering table, it updates the table by inserting additional rules any external help in form of administrator for handling the into it. This property of Netfilter-Iptable overcomes its malicious data packets. During the research we focused only limitation of handling only such packets for which predefined on three classes-normal, smurf and Neptune. More practical rules are available. This updation in the rules table is carried . 232 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 IDSs should have several attack types; therefore, it is possible,  The Third International Knowledge Discovery and Data Mining Tools Competition,http://kdd.ics.uci.edu/databases/kddcup99.kddcup99.html, as a future development to the present study, to include more May 2002. attack scenarios in the dataset. We have taken only 6 basic tcp  W. Lee, S. J. Stolfo and K. W. Mok, “Mining in a data-flow information of a packet for training our network for intrusion environment: experience in network intrusion detection,” in Knowledge detection. Hence in future further improvements can be done Discovery and Data Mining, pp. 114-124, 1999. by including more parameters of a data packet.  Stefano Zanero. Improving Self Organizing Map Performance for Network Intrusion Detection, 2004  Kunal Chadha and Abhinav Kumar, Thesis submitted as part of Network Forensics Project, Jaypee Institute of information Technology REFERENCES University, Noida.  Kulesh Shanmugasundaram, Nasir Memon, Anubhav Savant, and Herve Bronnimann. ForNet: A Distributed Forensics Network. V. Gorodetsky et al. (Eds.): MMM-ACNS 2003, LNCS 2776, pp. 1–16, 2003.c _ Springer-Verlag Berlin Heidelberg 2003  Bace, R.G.: Intrusion Detection. Macmillan Technical Pub (2000)  Min Wook Kil, Seung Kyeom Kim, Geuk Lee and Youngmi Kwon. A Development of Intrusion Detection and Protection System Using Netfilter Framework. D. ´Slezak et al. (Eds.): RSFDGrC 2005, LNAI 3642, pp. 520–529, 2005.c_Springer-Verlag Berlin Heidelberg 2005  Andreas Fuchsberger. Intrusion Detection Systems and Intrusion Prevention Systems. 1363-4127 Published by Elsevier Ltd.doi:10.1016 / j.istr.2005.08.00, 2005  Jeong, B.H., Kim, J.N., Sohn, S.W.: Current Status and Expectation of Techniques for Intrusion Protection System. http://kidbs.it.nd.or.kr/WZIN/ jugidong/1098/109801.htm  Ilgun, K., Kemmerer, R.A., and Porras, P.A.: State transition analysis: A rule based intrusion detection approach. IEEE Transactions on Software Engineering (March 1995)  Kumar, S. and Spa.ord, E.H.: An application of pattern matching in intrusion detection. Purdue University Technical Report CSD-TR-94- 013 (1994)  Xinyou Zhang, Chengzhong Li and Wenbin Zheng. Intrusion prevention system design. 0-7695-2216-5/04. IEEE(2004)  Shim, D.C.: A trend of Intrusion Detection System. KISDI IT FOCUS 4. Korea Information Strategy Development Institute (2001) 61-65  U. Labib and V. R. Vemuri. Nsom: A tool to detect denial of service attacks using self-organizing maps.  Sahin Albayrak, Achim Muller, Christian Scheel and Dragan Milosevic. Combining Self-Organizing Map Algorithms for Robust and Scalable Intrusion Detection. Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC’05), 2005.  Stefano Zanero and Sergio M. Savaresi. Unsupervised learning techniques for an intrusion detection system. SAC’04 March 14-17 2004, Nicosia, Cyprus Copyright 2004 ACM 1581138121/ 03/04.  http://richardbowles.tripod.com/neural/kohonen/kohonen.htm  Haykin, Simon: Neural networks- a comprehensive foundation. Pearson Education (4th Indian reprint, 2003)  Liberios Vokorokos, Anton Balaz and Martin Chovanec. Intrusion detection system using self organizing map. Acta Electrotechnica et Informatica No. 1, Vol. 6, 2006  Min Wook Kil, Si Jung Kim, Youngmi Kwon and Geuk Lee. Network Intrusion Protection System Using Rule-Based DB and RBAC Policy. IFIP International Federation for Information Processing, NPC 2004, LNCS 3222, pp. 670-675, 2004.  http://www.terms.co.kr, Dictionary of Computer Terms.  Cho, D.I., Song, K.C., Noh, B.K.: Handbook of Analysis for Detection of Network Intrusion and Hacking. Infobook (2001)  http://www.netfilter.org/, netfilter /iptables project homepage–The netfilter project  ploug.eu.org/doc/s-netip.pdf  http://www.netfilter.org/documentation/HOWTO/pt/packet-filtering- HOWTO.txt  Peter Lichodzijewski, A.Nur Zincir-Heywood and Malcolm I. Heywood. Dynamic Intrusion Detection Using Self-Organizing Maps. CITSS, 2002 . 233 http://sites.google.com/site/ijcsis/ ISSN 1947-5500