Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables by ijcsiseditor


More Info
									                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                         Vol. 8, No. 4, July 2010

       Framework for vulnerability reduction in real
    time intrusion detection and prevention systems
      using SOM based IDS with Netfilter-Iptables
Abhinav Kumar                                     Kunal Chadha                                           Dr. Krishna Asawa
X-Scholar, CSE Department                         X-Scholar, CSE Department                              Associate Prof., CSE/IT Department
Jaypee Institute of Information                   Jaypee Institute of Information                        Jaypee Institute of Information
Technology, Deemed University                     Technology, Deemed University                          Technology, Deemed University
Noida, India                                      Noida, India                                           Noida, India                                            

Abstract— Intrusion detection systems and Intrusion Prevention                time. But it has its own limitations such as it can’t do the
system are few of the possible ways for handling various types of             session based detection which uses multiple packets [2]. In a
attacks or intrusions. But the credibility of such systems itself are         network based IDS, packets are examined both according to
at stake. None of the existing systems can assure you, your safety.           header and payload searching for attack signatures, stored in
In this paper we propose integration of SOM based intrusion
                                                                              the IDS Attack signature database, which is the vital part of
detection system with an intrusion prevention system in the
Linux platform for preventing intrusions. We propose a                        any IDS software [4] but it becomes inefficient when we talk
framework for reducing the real time security risks by using Self-            about blocking those attacks and hence can easily enter into a
organizing maps for intrusion detection accompanied by packet                 system. Each of such system is passive in reporting such
filtering through Netfilter-Iptable to handle the malicious data              intrusions and hence do not provide real time security.
                                                                              For handling such situations we propose a real time system
Keywords-Intrusion Detection System, SOM.                                     that consists of an intrusion detection system based on Self
                                                                              organizing maps, for tracing down the malicious packets along
                        I.    INTRODUCTION                                    with handling those packets through an intrusion prevention
In today’s world every computer is vulnerable, nothing is                     system in the Linux environment. Self-organizing maps is an
secure, but the quest of mankind for that ideal security is still             unsupervised way of learning and has the ability to express
going on. Internet and other ways of communication over                       topological relationships [22]. The hypothesis is that typical
network are proving to be boon as well as bane. Boon, when it                 connection characteristics will be emphasized – densely
is providing new dimensions to the business and bane with its                 populated regions of the map – whereas atypical activities will
harmful effects of intrusions into various networks. Every now                appear in sparse regions of the topology [22]. Selection of
& then we witness various types of attacks and keep banging                   SOM for intrusion detection is also guided by its robustness
our heads in solving them. As soon as one computer is                         with regard to the choice of the number of classes to divide the
connected to another computer there is an addition of the                     data into, and is also resistant to the presence of outliers in the
possibility that someone using the other computer can access                  training data, which is a desirable property: in the real-world
our computer's information, eventually leading to intrusions.                 situations, the training data could already contain attacks or
Some recent surveys show that cyber attacks targeted to the                   anomalies and the algorithm must be capable of learning
networks are no longer an unlikely incident that only occurs to               regular patterns out of a “dirty” training set [25]. Detection
few exposed networks of organizations in the limelight. In the                will be followed by prevention by using Netfilter-Iptables
struggle to both maintain and implement any given IT security                 available in Linux environment [3]. Our system blocks the
policy, professional IT security management is no longer able                 malicious data packet as soon as they are detected, without
to ignore these issues, as attacks are more frequent and                      any external help, in real time.
devastating; the commercial success is directly related to the
safe and reliable operation of their networks [4].                            This paper is organized in various sections in which we
                                                                              discuss the existing intrusion detection system as well as
Intrusion is an action to attack the integrity, confidentiality and           intrusion prevention systems. This is followed by description
availability of the system resources [3]. Intrusion detection                 of framework which consists of training of SOM, usage of
systems were developed for this cause so that they can detect                 netfilter-iptables for packet filtering.
the malicious data packets traveling on the network in real


                                                                                                         ISSN 1947-5500
                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                        Vol. 8, No. 4, July 2010

        II.     EXISTING INTRUSION DETECTION SYSTEM                         router by analyzing and comparing with filter-rules [16]. In
Scientist and researchers had been continuously working for                 order to have proper security the IPS should fulfill the
quite a few years for the development of a perfect intrusion                criterions like- it must be a part of communication link and
detection system (IDS) that can’t be bluffed. Its main job is to            supported by dedicated hardware, it should actively detect the
monitor, analyze, detect and respond to the intrusions to the               intrusions in real time and should block those intrusions
information systems [5]. Intrusion detection systems can be                 instantaneously.
broadly categorized into signature based and anomaly                                         IV.   PROPOSED FRAMEWORK
detection systems. It may be passive. Signature based IDS
look for attack signatures, specific patterns of network traffic            The proposed framework for efficient intrusion detection-
or activity in log files that indicate suspicious behavior.                 protection system is an integration of SOM based intrusion
Signature-based methods rely on a specific signature of an                  detection system working in coherence with netfilter-iptable
intrusion which when found triggers an alarm [6, 7]. Now                    based firewall. Self Organizing maps being an unsupervised
coming on to its sub categories-if an IDS searches for                      way of learning are one of the best choices for intrusion
suspicious attack signatures on the traffic flowing on the                  detection because it clearly identifies the “odd” phenomenon
network then it is named as Network intrusion detection                     even in vast amount of observations, which is its core
systems (NIDS) and when the same is done by looking at log                  property. Apart from this, it does not require a priori
file of hosts, it is termed as Host intrusion detection systems             knowledge inputs.
(HIPS) [4]. HIDS is mostly deployed in e-commerce
environments for securing the sensitive data. But it serves the             The DARPA 1998 Intrusion Detection Evaluation data set
purpose only at the host level. NIDS performs the search for                consists of about 5 million connections of labeled training data
attack signatures at the packet level and as soon as a match is             and 2 million connections of test data [23]. This data consists
found, an alarm gets raised. The anomaly detection IDS uses                 of the values of all 41 features of a data packet along with its
statistical techniques to detect penetrations and attacks that              labeling into categories of normal, smurf, Neptune etc. These
begins with the establishment of base-line statistical behavior             41 features consist of Basic TCP features, Content features,
that what is the normal behavior for this system. After that it             Time-based traffic features; and Host-based traffic features
captures new statistical data and measure, for finding the                  [24]. Since the proposed work is data driven unsupervised
deviation from the base line. Once a threshold is exceeded, an              from of learning hence out of those 41 features only 6 having
alarm is generated [4].                                                     basic TCP information are required, namely-duration of
                                                                            connection, protocol type (tcp/udp), service(HTTP etc.),
All the above-mentioned IDS’s suffer from few serious                       destination bytes, source bytes and the value of flag. Hence
limitations. As the attack-trails is increased, it became difficult         SOM based IDS will have 6 inputs and classifies packets into
for network IDS or host IDS to detect the attacks with a limited            three clusters-normal, smurf and Neptune, the latter two being
capability [9]. Some of them are 1) High misinformation rate-is             the attacks. Once this network gets trained with this data, it is
a bulky log and real-time prevention problems that has not yet              ready for detecting the malicious packets.
been solved efficiently [3]. An alarm gets raised even if there
was no attack (false positive) and no alarm even if there is as
an attack (false negative). Hence there is need for a more exact                 • Why SOM for intrusion detection?
and effective access control policy [8]. Hence in anomaly                   Intrusions done by an unknown program leads to disasters
detection methods, the base line needs to be adjusted                       because of their unknown behavior & characteristics.
dynamically. 2) Once an IDS gets attacked then it allows the                Although we can find out its characteristics but they remain a
attacker to move freely on the network [8] .3) There is no way              mystery for us. So we need to classify it into the normal and
by which an IDS can block an attacker, it remains confined                  the abnormal states [11]. Now the problem gets reduced to
only to its primary job of detection.                                       defining normal and the abnormal states.

              III.   INTRUSION PREVENTION SYSTEM                            The architecture of Self organizing maps was developed by
                                                                            Teuvo Kohonen at the University of Helsinki. Self organizing
Intrusion prevention system (IPS), also known as Network                    maps are provided only with a series of input patterns and it
Defense System (NDS), is a system in which firewall is tightly              learns for itself how to group these together so that similar
coupled with IDS and it can react to the changes of the
network environment [8]. It can be either in the form of                    patterns produce similar outputs. It consists of a single layer
software or hardware providing help in blocking of illegal                  of cells, all of which are connected to a series of inputs. The
external attack, preventing the loss, destroy and change of                 inputs themselves are not cells and do no processing - they are
internal information from illegitimate users through Internet,              just the points where the input signal enters the system [14] as
and helping internal information to be provided to the outside              shown in Figure 1.
safely. It is an active protection process to prohibit from
incoming of illegal traffics and permit only the authorized
traffics [17]. IPS is located in the rear section of router
generally and keeps a check on the forwarded packets to the


                                                                                                      ISSN 1947-5500
                                                     (IJCSIS) International Journal of Computer Science and Information Security,
                                                     Vol. 8, No. 4, July 2010

                                                                         function type [15]. Along with the learning rate, the
                                                                         neighborhood radius decreases as well.
                                                                         4) In the updating phase the synaptic weight vectors of all the
                                                                         neurons is updated by using the formula
                                                                         w j(n + 1) = w j(n) + n(n) h j ,i (x)(n) (x(n) - w j(n))   -----
                                                                         ---------- Formula 2
                                                                         where n(n) is the learning-rate parameter, which has been set
                                                                         to 0.1 and h j ,i (x)(n) is the neighborhood function centered
                                                                         around the winning neuron i(x); both n(n) and h j ,i (x)(n) are
                                                                         varied dynamically during learning for best results [14].
                                                                         5) We continue with step 2 until no noticeable changes in the
       x1                                                                feature map are observed or for given number of iterations
                                                                         (generally is fixed, in our case it is 50000).

                                                                         After training, SOM becomes ready to categorize the packets
                             xN                                          in three different categories, namely-smurf, Neptune and
                                       Inputs                            Normal. After this phase the work of Intrusion prevention
                                                                         system starts. The efficiency of IPS gets decreased because of
        Figure 1 (Self Organizing Map)
                                                                         certain limitations in its basis principles. IPS performs packet
                                                                         filtering based on predefined rules, what if there is a novel
This network involves unsupervised learning and hence it                 attack? IPS has passive characteristics such that it can prevent
itself finds, what it needs to learn, without any external help.         only the predefined rules and filter some kinds of packets [18].
In the area of intrusion detection systems, the use of                   Apart from this, it is also not able to detect an attack carried
unsupervised learning algorithms supports the detection of               out from the internal network of an organization. We propose
anomalies [10, 12]. Moreover a learning algorithm can be                 to use Netfilter-Iptables for overcoming many such drawbacks
tuned totally to the specific network it operates into, which is         of intrusion prevention systems.
also an important feature to reduce the number of false
positives and optimize the detection rate [12].
     • Training the SOM                                                        • Netfilter-Iptable
The training of self organizing map involves sampling,                   Netfilter is a set of hooks inside the Linux kernel [18].
similarity matching and updating apart from the basic                    Netfilter is a framework that enables packet filtering, network
initialization of weights to very small values of the range 0 to         address [and port] translation and other packet mangling. It
0.01 [13]. The learning process of SOM is as follows:                    performs packet filtering based on rules saved in packet
                                                                         filtering tables in kernel space. The rules are grouped in
1) During initialization, the only restriction is that wj (0) be         chains, according to the types of packets they deal with. Rules
different for j=1,2,…l, where l is the number of neurons in the          dealing with incoming packets are added to the INPUT chain,
lattice.                                                                 rules dealing with outgoing packets are added to the OUTPUT
                                                                         chain and rules dealing with packets being forwarded are
2) It is followed by sampling where a sample vector x                    added to the FORWARD chain [20]. Other than these three
(representing activation pattern) is drawn from the input space          chains there are other chains also like prerouting &
with certain probability and presented to the lattice. In the            postrouting and user defined chains. As soon as a packet
proposed work, out of previously mentioned 41 features, the 6            comes to a chain, its next action is decided on that chain.
basic TCP information are presented to the network.
3) In similarity matching every node is examined to calculate            When a packet perfectly matches with a rule, action performed
which one's weights are most like the input vector. The                  is ACCEPT and packet is allowed to go wherever it is destined
winning node is commonly known as the Best Matching Unit                 to(-j ACCEPT), DROP-packet will be blocked and no further
(BMU)/neuron. BMU is calculated by iterating through all the             processing will be done on it (-j DROP), REJECT(similar to
nodes and calculating the Euclidean distance between each                drop) but doesn’t leave dead sockets & sends back error
node's weight vector and the current input vector. Hence the             message (-j REJECT) as shown in Figure 2 [21]. There are
BMU i(x) at time step n by using the minimum –distance                   few more actions that can be performed on the packets.
Euclidean criterion is:
i(x)=arg min j || x(n) – w j||, j=1,2,…, l
             ---------------- Formula 1
The node with a weight vector closest to the input vector is
tagged as the BMU. As the learning proceeds and new input
vectors are given to the lattice, the learning rate gradually
decreases to zero according to the specified learning rate


                                                                                                   ISSN 1947-5500
                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                        Vol. 8, No. 4, July 2010

                                                                            out by using libiptc (libiptc is a library to set the packet
                                                                            filtering function in the Netfilter framework) [3] and can be in
                                                                            the form of blocking that particular IP address or blocking
                  DROPed      REJECTed
                                                                            only that particular port as shown in Figure 3.

                                                                                  Comm. Channel
                                                                                                            Captures the
   Incoming                                                                                                 data packet
   Packets            Input chain    ACCEPTed

                                                     Internal                                                            Transfer of 6
                    Forward chain                    Processes
                                                                                                                         Tcp features
   Packets-                           ACCEPTed
   Forward           Output chain
                                                                                                           Trained SOM
  ACCEPTed                                                                                                  based IDS

                Figure-2 (Netfilter system) [21]                                                            Intrusion?


The iptables tool inserts and deletes rules from the kernel's                                              Netfilter-iptable
packet filtering table [21]. ’Iptables’ is not a packet filtering                                              firewall
tool itself. It is just a command tool of the Netfilter imported
in the kernel, and we should use this tool to make rules to
reflect current intrusion aspects [3]. Few of its commands are:
(-N) Creation of new chain, (-L) List the rules in a chain, (-F)
                                                                                                   Block                   Ignore
Flush the rules out of a chain, (-A) Append a new rule to a
chain,(-I) Insert a new rule at some position in a chain, (-X)
delete an empty chain, (-D) delete a rule at some position in a
chain, or the first that matches etc. For example for deleting                                       Comm. Channel
the rule1
           # iptables -D INPUT 1                                                                 Figure-3 (Integrated Framework)

For blocking an IP address
       # iptables -A INPUT -f -d -j DROP

Now as soon as the SOM based IDS find an attack it generates                             V.    CONCLUSION AND FUTURE WORK
an alert. Along with generating an alarm it also passes the
                                                                            In this research we have investigated few of the intrusion
information, the port number and IP address of that malicious
                                                                            detection and prevention systems and critically analyzed them.
packet to the netfilter-iptable firewall. Then the IPS (firewall)
                                                                            We have explored the role of self organizing maps, an
decides how to deal with that packet according to the rules of
                                                                            artificial intelligence technique for increasing the efficiency of
the kernel's packet filtering table. The decision regarding
                                                                            intrusion detection systems. We also presented an extensive
dropping, accepting or rejecting the incoming packets is taken
                                                                            study of Netfilter-Iptable for overcoming few of the
at this juncture after matching the packets with the predefined
                                                                            limitations of existing intrusion prevention systems. Along
rules present in various chains (input, output, forward). And in
                                                                            with this we finally proposed an integrated version of SOM
cases of indecision or if any rule is not present in packet
                                                                            based IDS with netfilter-iptable firewall that do not require
filtering table, it updates the table by inserting additional rules
                                                                            any external help in form of administrator for handling the
into it. This property of Netfilter-Iptable overcomes its
                                                                            malicious data packets. During the research we focused only
limitation of handling only such packets for which predefined
                                                                            on three classes-normal, smurf and Neptune. More practical
rules are available. This updation in the rules table is carried


                                                                                                      ISSN 1947-5500
                                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                                  Vol. 8, No. 4, July 2010

IDSs should have several attack types; therefore, it is possible,                       [23] The Third International Knowledge Discovery and Data Mining Tools
as a future development to the present study, to include more                                May 2002.
attack scenarios in the dataset. We have taken only 6 basic tcp                         [24] W. Lee, S. J. Stolfo and K. W. Mok, “Mining in a data-flow
information of a packet for training our network for intrusion                               environment: experience in network intrusion detection,” in Knowledge
detection. Hence in future further improvements can be done                                  Discovery and Data Mining, pp. 114-124, 1999.
by including more parameters of a data packet.                                          [25] Stefano Zanero. Improving Self Organizing Map Performance for
                                                                                             Network Intrusion Detection, 2004
                                                                                        [26] Kunal Chadha and Abhinav Kumar, Thesis submitted as part of Network
                                                                                             Forensics Project, Jaypee Institute of information Technology
                                  REFERENCES                                                 University, Noida.
[1]     Kulesh Shanmugasundaram, Nasir Memon, Anubhav Savant, and Herve
       Bronnimann. ForNet: A Distributed Forensics Network. V. Gorodetsky
       et al. (Eds.): MMM-ACNS 2003, LNCS 2776, pp. 1–16, 2003.c _
       Springer-Verlag Berlin Heidelberg 2003
[2]     Bace, R.G.: Intrusion Detection. Macmillan Technical Pub (2000)
[3]     Min Wook Kil, Seung Kyeom Kim, Geuk Lee and Youngmi Kwon. A
       Development of Intrusion Detection and Protection System Using
       Netfilter Framework. D. ´Slezak et al. (Eds.): RSFDGrC 2005, LNAI
       3642, pp. 520–529, 2005.c_Springer-Verlag Berlin Heidelberg 2005
[4]    Andreas Fuchsberger. Intrusion Detection Systems and Intrusion
       Prevention Systems. 1363-4127 Published by Elsevier Ltd.doi:10.1016 /
       j.istr.2005.08.00, 2005
[5]     Jeong, B.H., Kim, J.N., Sohn, S.W.: Current Status and Expectation of
       Techniques           for       Intrusion       Protection       System. jugidong/1098/109801.htm
[6]     Ilgun, K., Kemmerer, R.A., and Porras, P.A.: State transition analysis:
       A rule based intrusion detection approach. IEEE Transactions on
       Software Engineering (March 1995)
[7]    Kumar, S. and Spa.ord, E.H.: An application of pattern matching in
       intrusion detection. Purdue University Technical Report CSD-TR-94-
       013 (1994)
[8]    Xinyou Zhang, Chengzhong Li and Wenbin Zheng. Intrusion prevention
       system design. 0-7695-2216-5/04. IEEE(2004)
[9]    Shim, D.C.: A trend of Intrusion Detection System. KISDI IT FOCUS 4.
       Korea Information Strategy Development Institute (2001) 61-65
[10]   U. Labib and V. R. Vemuri. Nsom: A tool to detect denial of service
       attacks using self-organizing maps.
[11]   Sahin Albayrak, Achim Muller, Christian Scheel and Dragan Milosevic.
       Combining Self-Organizing Map Algorithms for Robust and Scalable
       Intrusion Detection. Proceedings of the 2005 International Conference
       on Computational Intelligence for Modelling, Control and Automation,
       and International Conference on Intelligent Agents, Web Technologies
       and Internet Commerce (CIMCA-IAWTIC’05), 2005.
[12]   Stefano Zanero and Sergio M. Savaresi. Unsupervised learning
       techniques for an intrusion detection system. SAC’04 March 14-17 2004,
       Nicosia, Cyprus Copyright 2004 ACM 1581138121/ 03/04.
[14]   Haykin, Simon: Neural networks- a comprehensive foundation. Pearson
       Education (4th Indian reprint, 2003)
[15]   Liberios Vokorokos, Anton Balaz and Martin Chovanec. Intrusion
       detection system using self organizing map. Acta Electrotechnica et
       Informatica No. 1, Vol. 6, 2006
[16]   Min Wook Kil, Si Jung Kim, Youngmi Kwon and Geuk Lee. Network
       Intrusion Protection System Using Rule-Based DB and RBAC Policy.
       IFIP International Federation for Information Processing, NPC 2004,
       LNCS 3222, pp. 670-675, 2004.
[17], Dictionary of Computer Terms.
[18]   Cho, D.I., Song, K.C., Noh, B.K.: Handbook of Analysis for Detection
       of Network Intrusion and Hacking. Infobook (2001)
[19], netfilter /iptables project homepage–The
       netfilter project
[22]   Peter Lichodzijewski, A.Nur Zincir-Heywood and Malcolm I. Heywood.
       Dynamic Intrusion Detection Using Self-Organizing Maps. CITSS, 2002


                                                                                                                      ISSN 1947-5500

To top