; A Hybrid Network Interface Card-Based Intrusion Detection System
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

A Hybrid Network Interface Card-Based Intrusion Detection System

VIEWS: 103 PAGES: 10

The International Journal of Computer Science and Information Security is a monthly periodical on research articles in general computer science and information security which provides a distinctive technical perspective on novel technical research work, whether theoretical, applicable, or related to implementation. Target Audience: IT academics, university IT faculties; and business people concerned with computer science and security; industry IT departments; government departments; the financial industry; the mobile industry and the computing industry. Coverage includes: security infrastructures, network security: Internet security, content protection, cryptography, steganography and formal methods in information security; multimedia systems, software, information systems, intelligent systems, web services, data mining, wireless communication, networking and technologies, innovation technology and management. Thanks for your contributions in July 2010 issue and we are grateful to the reviewers for providing valuable comments. IJCSIS July 2010 Issue (Vol. 8, No. 4) has an acceptance rate of 36 %.

More Info
  • pg 1
									                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                   Vol. 8, No. 4, July 2010

    A Hybrid Network Interface Card-Based Intrusion
                  Detection System

                     Samir Elmougy,                                                      Mohammed Mohsen,
     Faculty of Computers and Information Sciences,                         Faculty of Computers and Information Sciences,
                  Mansoura University,                                                   Mansoura University,
                 Mansoura 35516, Egypt,                                                 Mansoura 35516, Egypt,
                  mougy@mans.edu.eg                                                    mohsen_cs@hotmail.com

Abstract—In recent years, the networks have played a vital               unauthorized use, misuse, or abuse of computer systems by
factor in modern society. To prevent data tampering as well as           authorized user.
eavesdropping, it’s important to ensure that connections are
always private and secure. Intrusion Detection Systems (IDSs)                Firewalls are placed in between two or more computer
are gaining more importance to the applied technologies and              networks to stop committed attacks into or out of these
become an integral part of the security infrastructure of                networks. Packet filtering firewall usually works by scanning
organizations.                                                           a packet for both of the layer three and the layer four
                                                                         protocols information. A packet filtering firewall works by
          In this paper, a new hybrid intrusion detection system         applying some filtering rules called policies. Provide
called HSIDS combines both of heuristic and signature                    information regarding whether the event is occurred or not
intrusion detection approaches is proposed and implemented               cannot be obtained [2, 6, 7]. Firewalls are not totally enough
based on reading bytes from the Network Interface Cards                  to ensure the network security. Hence, intrusion detection
(NICs). Embedding the capturing module in the protocols                  systems (IDSs) are needed to identify malicious activity and
stack is another capturing method used in HSIDS. HSIDS's                 suspicious in computer systems [8].
structured is layered which allows to detect bugs fast and
easily. Also, its functionality is not depending on any external             Intrusion detection systems depend on monitoring the
applications, so it is easy to upgrade its protocols parsing             computer systems or the networks to gather information,
classes. The experimentation results show that the proposed              analyze this information, and recognize the system behavior
system is an efficient IDS.                                              to take a suitable action to prevent any completion of this
                                                                         attack and to ensure that the system is safe. IDSs are working
    Keywords-Computer security, hybrid intrusion detection               by scanning packets at layer three and at layer four. IDSs
system, network interface cards (NIC), heuristic intrusion               can scan the different levels protocols of application and can
detection, signature intrusion detection.                                also recognize the traffic type such as DNS, http and DNS
                                                                         [6]. IDS is alarming when there is a specific packet founded
                      I.   INTRODUCTION                                  to match the parameters (the port number, the transport
    Today, organizations rely on flexible and efficient                  protocols (TCP/UDP), the IP address, the application
security approaches and tools to guarantee that their                    protocols and the content) that are predefined by the IDS
information being exchanged is secured and privacy. Many                 rules.
approaches have been achieved to assure system privacy and                   Two main methodologies namely anomaly detection and
security such as user authentication, authorization,                     signature (misuse) detection are used in IDSs. Signature
encryption, firewalls, antivirus, and intrusion detection                detection approach is effective for detecting those types of
Systems (IDSs). Computer security is that field concerning               attacks without many false alarms. In the anomaly detection
with using technology, policies, and education to assure                 approach, the used heuristic function extends the power of
many factors such as the confidentiality, integrity, and                 the IDS dramatically since the admin will usually adjust it
availability of information system resources. This includes              according to the very details of the network activities and
hardware, software, firmware, information/data and                       nature. In other words, heuristic-based IDSs can cover all
telecommunications [1, 2]. To secure data, three main                    internal and external aspects of the network but signature-
activities should be pursued: prevention, detection, and                 based IDS can cover only external aspects (attacks with
recovery [3]. To be able to get a secure system, it is                   signature). Heuristic based IDSs are limited only for attacks
important to identity threats, extract characteristics from the          to exhibit abnormal behavioral patterns.
threats, and encode the characteristics into software to detect
those threats [4]. Intrusion is simply an attack attempting to              The main problems of using standard signature-based or
access machine to get and/or manipulate information or to                anomaly-based IDSs is that their detection methods depend
force it to be unreliable or unusable [5]. Intrusion can be              on detection instructions at the host processor level. Also,
                                                                         when an abnormal activity is detected using any of those

                                                                   304                             http://sites.google.com/site/ijcsis/
                                                                                                   ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                  Vol. 8, No. 4, July 2010
approaches, the anomalous packets will not be prevented                          network then where should IDS is deployed?
from causing some bad effects such as trying to slow down                        Deploying IDS in a ring token network is very
or stop the system and the central processing unit. These                        expensive as the IDS will have to be able to see the
problems cause the need to use Network Interface Cards                           traffic passing between every two nodes. So,
(NICs) in the network intrusion detection applications [9,                       usually the network structure is changed to permit
10]. NICs are used to transfer data between different                            efficient integration of IDS into the network.
components of the system and the network. NIC first
examines the transmitted packet headers and simply takes the                3.   The place of firewall: Assume that there is a
decision of not forwarding any founded suspicious packets.                       network sees the internet through a firewall that acts
Hybrid IDS is combined of two or more of IDSs                                    as a bottleneck to the network connection. An ideal
architectures to overcome the drawback and weaknesses of                         place to deploy the IDS is where the data stream is
using each one of these IDSs alone.                                              supposed to be filtered. In other meaning, IDS
                                                                                 should be placed according to the diagram given in
   In this paper, a new intrusion detection system, we call it                   Fig. 1.
HSIDS, is proposed and implemented. HSIDS packet
capturing depends upon reading bytes from the NIC by
identifying the NIC system name in order to initialize
handling for communicating with it. HSIDS combines both
of heuristic detection and signature based detection
approaches to overcome the drawback of using both alone.
    This paper is organized as follows. In Section II, an idea
about what is IDS, its types, methods, what it can do, and
what it cannot do and discussing some related work are
introduced. Our proposed system, HSIDS, is introduced in
Section III. A discussion for how the package is captured
using HSIDS is explained in Section IV. Section V covers
HSIDS configurations and using. The conclusions and some
future work are discussed in Section VI.                                               Figure 1. Positions of IDS and Firewall

          II.   BACKGROUND AND RELATED WORK                                 4.   Mistakes usually occurred when deploying IDS:
                                                                                 The following are some mistakes usually occurred
    IDS system collects information from the networks and                        when deploying IDS systems [12]:
tries to detect attacks. It basically captures the flowing
network stream of data and starts attempting to know if it                           Deploying the network IDS without sufficient
threatens the network. IDSs types vary due to their methods                           infrastructure planning.
of operations. Some common types of IDSs are:
                                                                                     When the IDS is deployed appropriately, but
    1.   Network IDS, NIDS: IDS that detects intrusions in                            nobody is looking at the alerts it generates
         a network
                                                                                     Network IDS is deployed, "sees" all the traffic
    2.   Distributed IDS, DIDS: IDS distributed on more                               and there is a moderately intelligent somebody
         than one host and may have a centralized log,                                reviewing the alert stream.
         analysis processing unit or an intrusion reporting
         unit (i.e. monitor).                                                        All the previous pitfalls are avoided and the
                                                                                      NIDS is humming along nicely. However, the
    3.   Host IDS, HIDS: IDS that detects intrusions on a                             staff monitoring the IDS starts to get flooded
         host (single workstation).                                                   with alerts.
        The place in a network to place IDS is greatly                               Not accepting the inherent limitations of
    depending upon many factors as:                                                   network IDS technology. While anomaly-based
    1.   The purpose of the IDS: If the IDS is supposed to                            IDS systems might potentially detect an
         protect a whole network, then it should be seeing                            unknown attack, most signatures based IDS
         the whole network traffic. If it’s supposed to protect                       will miss a new exploit if there is no rule
         a node, then all that should be done is placing the                          written for it.
         IDS on that node. The main idea is just to see all the             IDS alerts have a ratio of falseness and needs
         traffic needed. Adjusting the NIC filter is very               adjustments. The alert reporting method is significant,
         important which it will be discussed later in                  whether it will send a mail, pop up a message, and start a
         "Capture a packet?” section.                                   sound declaring an attack or even send an SMS to the
    2.   Token of the Network: IDS is supposed to see all               network administrator. Many IDSs can only analyze the
         the traffic which it is supposed to check for                  attacks but others try to stop the attack at the time of the
         intrusion signs. Assume that there is a ring token

                                                                  305                              http://sites.google.com/site/ijcsis/
                                                                                                   ISSN 1947-5500
                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                Vol. 8, No. 4, July 2010

intrusion. Network traffic data, system status files,          an alert be a positive one. So access care should be
system level test data, are the main types of data             taken when coding heuristic rules.
used by IDSs [13].
                                                                   NIC is used to move data through the different
    Two main different methodologies in designing              system components and the network. It first
intrusion detection systems are signature-based and            examines the transmitted packet headers and simply
Heuristic-based. Heuristic-based (synonymous with              takes the decision of not forwarding any founded
anomaly-based) IDSs approach deal with the                     suspicious packets. IDSs based on NICs can result
uncovering the behaviors of abnormal patterns                  in better performance of the overall network
given a model of user’s normal behavior. So, any               security system because NICs can provide IDS by
event causes violating the model is a suspicious.              [9, 11]:
This usually implies the use of extensive attack free
training sets in order to characterize normal                            Better coverage: a one-to-one mapping
behavior. The alerting phase comes when a pre                             between NICs and hosts.
defined level of deviation occurs. If some protocols                     Scalability: natural           distribution       of
start taking over the bandwidth, the bandwidth                            computation.
availability is running low, so many login failure on
a specific machine. When a huge deviation occurs                         Less aggregation: detect more specific
from the usually snap shot of the network, alert is                       intrusions.
issued. Anomaly detection is very powerful for                           Detecting intrusion internal to a LAN
detecting DoS attacks, network scanning and
sniffing, but it could be easily fooled. A simple                        Potentially detecting more complex exploits
attack needing no more than launching an exploit                          by cooperating NICs.
won't be an enough deviation from the original state
of the network. However, it has the drawback of                          Improving performance by independency
producing high false alarms if a reasonable                               from host adds to reliability.
suspicion level is not maintained. Statistical                     The overall architecture for NIC-based security
approaches such as PHAD [14] IDS, Finite mixture               is shown in Fig. 2 [9].
model [15], clustering and data mining [16],
artificial neural networks [17], Expert Systems such               A P(srcIP | destIP) framework of is an example
as MIDAS, IDES and NIDES, genetic algorithms                   of anomaly IDS implemented based on the firewall
such as the IDS given in Crossbie [4], machine                 and host NICs [21, 9]. A distributed version of
learning and immune systems techniques are the                 P(srcIP | destIP) known as P(src IP | destIP,destPort)
main categorizations of anomaly detection systems.             is implemented on the host NIC [9]. Embedding the
                                                               firewall-like security at the NIC level is given in [8].
    Signature detection which is called also misuse
or detection by appearance systems rely on the use
of specific known patterns of unauthorized behavior
and/or contents (parts of the attack signature). This
technique is fast and very accurate when it comes to
detect a specific attack because it checks the
protocol layers for known signatures. Encoding can
fool signature based attacks but this usually applies
only to web applications attack like cross site
scripting and SQL injections. However, it has the
drawback of possibility failure in detecting novel
attacks whose signatures are unknown or in the case
of environment changes. Snort [18] is an IDS
running over IP-networks and depending on the
signature-based intrusion detection system approach
[19, 20].                                                              Figure 2. The architecture for NIC-based security

    Because a home-network-node cannot send a                      Weinsberg et al. [11] implemented a SCIRON
packet to itself from out of the network and a                 (Secure-Communication IntegRated over NIC)
connection cannot be initiated from the port Zero,             firewall based on a NIC. Schuff et al. [22] presented
heuristic intrusion detection methods mainly depend            and implemented a NIC-based IDS based on the
upon the admen’s past experience and intelligence.             processing of the available resources in future
This type extends the power of the IDS dramatically            multi-core RISC processors combined with
since the admin will usually adjust it according to            specialized content inspection hardware. Using
details of the network activities and its nature. One          Myrinet cluster to design and implement NIC-based
of the disadvantages is that bad rules will raise lots         QoS is presented in [23]. In 2001 [24], Markham et
of false alerts which may lead to ignore alerts while          al. and Payne proposes and implemented a
                                                               distributed firewall on a NIC. Sekar et al. designed

                                                         306                               http://sites.google.com/site/ijcsis/
                                                                                           ISSN 1947-5500
                                           (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                Vol. 8, No. 4, July 2010

and implemented a hybrid IDS of anomaly detection               5. IDS for each protocol is present in the shape of
approach with human-designed state machine [25].                   classes named as follows udpIDS.cs, tcpIDS.cs
    Tombini et al. [26] combined signature and                     … etc.
anomaly detection techniques to design and                      6. In each protocol parsing class, a module from
implement a hybrid IDS. Aydın et al. proposed a                    the relevant IDS class is called to detect
hybrid IDS combined of anomaly-based IDSs and                      possible intrusion signs.
network traffic anomaly detection (NETAD) based
on the misuse-based IDS Snort [19].                                Any protocol parsing class could be easily added
                                                               and integrated in the appropriate protocol layer (e.g.
      III.   THE PROPOSED HYBRID INTRUSION                     after transport a protocol for example).
                                                                   As mentioned early, HSIDS depends upon the
    The proposed IDS system, HSIDS, is modified                capturing infrastructure of Pacanal which depends
using a Pacanal package, a winpcap C# mimic. The               mainly in itself for capturing packets and raising the
will known winpcap library [4] had been translated             obtained byte to the upper layers of HSIDS for
into C#.      In this package, an ethereal-like                parsing and intrusion detection. Although, winpcap
application depending on winpcap technology                    libraries when setup it extends HSIDS's reliability
implemented using C# is implemented with                       by assuring existence of the npf.sys driver as an
supporting APIs. Pacanal was just a packet capturer            example. Some HSIDS bugs are avoided when
and needed an enormous amount of effort to                     installing WinPcap.
develop. For Pacanal package, there is no need to
send any packet although its designer implemented                  Signature-detection IDSs used to detect known
the Winsock service initialization and an API                  attacks but anomaly detection IDSs can detect new
function is used to write byte arrays into the NIC             attacks methods of heuristic.           HSIDS is
directly which could be used to craft packets.                 implemented using both of signature-based and
                                                               anomaly-based (by using a heuristic function to
   Pacanal package’s power is extended but                     extend the power of the IDS) intrusion detection
meanwhile all unneeded functions and protocol                  approaches. Capturing a packet is a little
parsing classes are removed. Pacanal's configuration           complicated process and many steps should be
panel has many options regarding being a packet                made before starting to capture a packet. Similar to
capturer configuration panel. But HSIDS's                      winpcap, Pacanal's descent which is HSIDS uses the
configuration panel is hanged with about 85%.                  easiest way of packet capturing. It simply reads
HSIDS is capable of working on almost all                      packets from the NIC. So, it’s counted as a protocol
windows computers including the following                      to read packets from the NIC.
versions (WIN2000, WINXP, WINVISTA,
WINNT, WIN95, WIN98, and WINME).                                   Another method of capturing is to embed the
                                                               capturing module in the protocols stack, so that the
    In our proposed system, HSIDS, the packet                  packet should pass by the capturing module and this
capturing depends upon reading bytes from the                  capturing should pass it to the upper protocol layer
NIC. This method is depending on the identifying               depending on where the capturing module is added
the NIC system in order to initialize a handle for             in the protocol stack. This method can choose to
communicating with it. In order to capture a packet,           pass or not to pass the packet received from the
the current NIC is identified and its parameters are           lower protocol layer. Also, this method show how
specified. HSIDS's structured is layered which                 most of the firewalls can be worked and also how
allows to detect bugs fast and easily. Also a great            some IDSs, that increases their features by such an
ease in upgrading HSIDS is achieved. Moreover,                 option, discard specific type of packets.
HSIDS's protocols parsing classes could be
increased and integrated into the project very easily.         A.    Identifying the Platform
The following algorithm shows how HSIDS is
working.                                                           In order to capture a packet, the current NIC in
                                                               use is identified first followed by specifying its
1. Reading packet from NIC.                                    parameters. A packet32h object is created and when
2. Parsing packet initially using the frame parser             created it:
   and Ethernet protocol parser.                                    1.   Get the operating system info.
3. Ethernet protocol parser parses the standard
   fields for a typical Ethernet header and also                    2.   Get the list of up and working network
   identifies the upper protocol whether it is TCP,                      adapters.
   UDP, ARP, etc.                                                   3.   Initialize the winsock.dll.
4. According to the detected protocol, the
   appropriate packet parsing class parsing                        To identify the current windows version, certain
   function is called and the rest of the packet is            API functions are called and variables are passed by
   passed to that class function.                              reference in order to send the variable and receive it
                                                               again with its values. The API function is:

                                                         307                            http://sites.google.com/site/ijcsis/
                                                                                        ISSN 1947-5500
                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                       Vol. 8, No. 4, July 2010

     [DllImport("kernel32.dll")]                                            uint [] lpInBuffer, int nInBufferSize,
     public extern static int GetVersionEx(ref                              int lpOutBuffer, int nOutBufferSize,
                                                                            ref int lpBytesReturned, int lpOverlapped
     mOSInfo.dwMajorVersion &
     mOSInfo.dwMinorVersion                                                 )

    The mOSInfo is a struct that has many variables                       This helps to set attributes to the device with the
in it.GetVersionEx API function previously know                       specified handle or issuing commands to the device.
that it will receive a variable with that structure.                  This function has eight different overloads to serve
                                                                      that issue.
B.    Opening the NIC
                                                                      C.  Reading a Single Packet
    This API function opens the NIC using its
previously obtained system name as a file for read                       The following function issues a command to the
and write access modes, and creates it depending on                   NIC to make one read operation.
that it already exists. Also, it can write packets bytes
in the NIC and eventually injecting crafted packets
into the network. For example, the WinXP which is                                        [DllImport("kernel32.dll")]
our OS lies under the Win2000 category so to find                                public extern static int WaitForSingleObject
the list of current network interface cards, the list of
keys is checked in the following registry path:                                      ( int hHandle, uint dwMilliseconds );

D36E972-E325-11CE-BFC1-08002bE10318}                                     This function actually reads the object (byte[]
    After receiving the NIC's system known name, a                    packet) obtained from the NIC.
check is required on the device system name to                             [DllImport("kernel32.dll")]
make sure it obeys the following format:
"\Device\NPF_{TheDeviceSystemName}".              The                      private static extern bool ReadFile (
following step is to call the following function:                          int hFile,                 // handle to file
     [DllImport("kernel32.dll")]                                           byte [ ] lpBuffer,          // data buffer..output
     public extern static int CreateFile (                                 int nNumberOfBytesToRead, //number of bytes to
     char [] lpFileName,                                                   read

     /* pointer to name of the file Device system name*/                   ref int lpNumberOfBytesRead, // number of bytes
     int dwDesiredAccess
                                                                           ref OVERLAPPED lpOverlapped               // overlapped
     /* access (read-write) mode Read and Write */                         buffer
     int dwShareMode,            /* share mode 0 */                        );
     int lpSecurityAttributes,
                                                                      D. Mess Cleaning
     /* pointer to security attributes 0     */
                                                                          First, mess should be cleaned and free all system
     int dwCreationDistribution,                                      resources that were reserved by HSIDS using the
     /* how to create 3 "Open existing“ */                            following function to end the NIC commands
                                                                      session. For example:
     int dwFlagsAndAttributes,
     /* file attributes 0 */
                                                                                public extern static int CloseHandle
     int hTemplateFile); * handle to file with attributes to
     copy 0                                                                     ( int hObject ); //The NIC’s handle
    This function returns an integer which is the
NIC's handle that will be used to deal with the NIC's
I/O stream in the memory. Another API function of
the kernel32.dll is:                                                        IV.      HSIDS CONFIGURATION AND USER
      [DllImport("kernel32.dll")] public extern static int
                                                                          Logs are saved in .mdb access db format in the
      DeviceIoControl(                                                ".\Logs" directory. A log file is named after the time
                                                                      and the time and date the HSIDS started capturing
      int hDevice, uint dwIoControlCode,
                                                                      packets. An example of log file is shown in Fig. 3.

                                                               308                               http://sites.google.com/site/ijcsis/
                                                                                                 ISSN 1947-5500
                                          (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                               Vol. 8, No. 4, July 2010

sip dip Sport dport          Sign                   Msg                      References                              type
Any any Any 135 7416e877cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                       admin
Any any Any 135 ec29e877cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                       admin
Any any any    135 b524e877cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                    admin
Any any any    135 7a36e877cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                    admin
Any any any    135 9b2af977cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                   Admin
Any any any    135 e3afe977cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                   Admin
Any any any    135 ba26e677cce0fd7fcce0fd7f DCOM Exploit (MS03-026) www.microsoft.com/security/s                    admin
                                           Figure 3. An example of log file

                                                                        “Tree View” indicated by the number “7”:
A. User Interface
                                                                         It shows a tree structure for a shown packet
    Fig. 4 shows a screen shot of the main user                          holding a threat.
interface of HSIDS. The main parts that are
appeared in this figure are the main menu and five                      A rich text box control indicated by the
main windows as follows. The menu items are                              number “8”: It shows the HEX dump for a
divided into two options (Capture which is indicated                     shown packet holding a threat
by the number “1” and Options which is indicated                        A rich text box control indicated by the
by the number “2”). “Capture” option is used either                      number “9”: It shows information about the
to start the capturing process through using the                         threat, how to deal with, and what is usually
option “Start”, which is indicated by the number                         provided.
“3”, or to stop capturing through using “stop”
option which indicated by the number “4”. The                           A rich text box control indicated by the
menu item “Options” which is indicated by the                            number “10”: It shows statistics about
number “2” and is used either to change HSIDS                            protocols, amount of bytes and time
configuration in addition to getting some help                           elapsed.
through “Configure HSIDS” option, which is
indicated by the number “5”, or to exit the system                      A list box control indicated by the number
through “Exit” option which is indicated by the                          “11”: It shows a list containing a brief
number “6”.                                                              description about the protocol, threat,
                                                                         packet ID and time of arrival
    The following are the five main windows that
are appeared in Fig. 4.                                                 A label control indicated by the number
                                                                         “12”: It shows HSIDS's slogan.

                                       Figure 4. A screen shot of HSIDS system.

                                                         309                            http://sites.google.com/site/ijcsis/
                                                                                        ISSN 1947-5500
                                                 (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                      Vol. 8, No. 4, July 2010

                                                                       D. HSIDS Configuration Panel
B. Signature DB
                                                                          HSIDS is capable of copying any packet that
    HSIDS has a signature database (DB) for many                       passes by the NIC of the host having HSIDS running
know attacks. Signatures are stored in many                            on it. HSIDS obtains the packet in a byte [] format
databases with relation to the protocol itself for                     and can efficiently parse the array. As mentioned
example TCP has a DB for all its types of attacks                      before, HSIDS opens a NIC with read and write
(tables) and each table has its own rules sets                         access modes which means that HSIDS can craft.
containing a signature for the attack. When an attack                  Pacanal's configuration panel had many options
is launched, the attacking packets will have some                      regarding being a packet capturer configuration panel.
fingerprint or a signature that declares its threat.                   HSIDS is capable of working on almost all windows
    An example of HSIDS's signature rules is given in                  computers including the following versions
Fig. 5. In this figure, the column “sign” represents                   (WIN2000, WINXP, WINVISTA, WINNT, WIN95,
hex strings. IF found as a TCP payload coming from                     WIN98, and WINME). A screen shot is given in Fig.
any IP going to any IP from any port to port 135 then                  6 to show the main HSIDS's configuration panel
this is the well known. This method is very accurate                   where:
when it comes to detecting a specific attack because it
                                                                              The NIC device name is indicated by the
checks the protocol layers for known signatures
                                                                               number 1 in the interface.
C. Heuristic-Based Intrusion Detection                                        An option to limit the number of data
   Heuristic intrusion detection depends mainly on                             captured of each packet is indicated in the
how a strange behavior would be. An IP IDS heuristic                           interface by the number 2.
module is given as:                                                           An option to limit the number of packets
private void heuristic()                                                       captured for intrusion detection is indicated
                                                                               in the interface by the number 3. An option to
{                                                                              limit the number of kilobytes captured for
Int32 int1=0;                                                                  intrusion detection is indicated in the
if((astn.LocalIP()==astn.SIP())                                                interface by the number 4.
||(astn.SIP()==astn.DIP()))                                                   An option to limit the time elapsed during
//Unlogical source and destination IPs {                                       intrusion detection is indicated in the
                                                                               interface by the number 5.
         / /Logging a possible unsecure header
         cmd_.CommandText=                                                    An option to specify the buffer size of the
                                                                               NIC is indicated in the interface by the
    "insert into unsecure        (pid,protocol,sign) VALUES                    number 6.
('"+pid+"','IP','Un logical source and target IPs')";
         int1 = cmd_.ExecuteNonQuery();                                       An option to specify the buffer size of the
                                                                               intrusion detection is indicated in the
     //Reporting strange activity.                                             interface by the number 7.
    lstbox.Items.Add("[IP][Heuristic Scan][Un          logical
source            and           destination              IPs]]                An option to specify how much data should
#"+Convert.ToString(Convert.ToInt32(pid)-                                      the HSIDS copy from the NIC’s buffer for
2)+"at"+DateTime.Now.TimeOfDay.ToString());                                    intrusion detection (the minimum amount of
                                                                               data needed to copy in each read process
                                                                               from the NIC’s buffer) is indicated in the
    }}                                                                         represented by number 8.

                                                    Figure 5. HSIDS signature

                                                                 310                           http://sites.google.com/site/ijcsis/
                                                                                               ISSN 1947-5500
                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                     Vol. 8, No. 4, July 2010

                                              Figure 6. A screen shot HSIDS configuration panel

       A button to save and apply the options is represented in
        the interface by the number 9.                                     TABLE I.         THE PERCENTAGES OF THE DIFFERENT CATEGORIZATION OF
                                                                                             ATTACKS OF THE TRAIN AND TEST DATA
       A button to cancel the configuration screen and return                     Attack Categorization       Train Ratio          Test Ratio
        back to the main interface is represented in the
                                                                               Normal                         42.0%             22.36%
        interface by the number 10.
                                                                               PRB                            17.0%             3.43%
E. Maintaining Order when Discovering an Attack                                U2R                            7.0%              1.19 %
    If a spoof attack is launched a primary step to deal with the              DOS                            30.0%             64.21%
attack to launch fake packets that acts as a spoofer, it returned              R2L                            4.0%              8.82%
everything that been used even spoof the attackers IP and                      To apply the validating measures on the experimental
cutting it of the network. Although bypassing a spoofed attack             results, Table II lists the parameters required for these
is very easily even manually, it is the least thing we can do as a         measures.
favor to the attacker.

F. HSIDS's Mutilation                                                        TABLE II.           THE USED PARAMETERS IN THE SYSTEM VALIDATING
   In HSIDS, it is also implemented how to switch to the stack
                                                                                     Parameter        Parameter               Definition
based capturing method to provide more options mainly                                                   symbol
preventing some packets from passing through, mutating                            True    Positive    TP             Attack occurs and in the same
HSIDS, and turning it into a hybrid IDS/IPS solution.                             Rate                               time alarm raised
                                                                                  True    Negative    TN             No attack occur and in the
                                                                                  Rate                               same time no alarm
               V.    PRELIMINARY EXPERIMENTS                                      False   Positive    FP             No attack occur and no alarm
    IDS validating is important to measure its performance. For                   Rate                               raised in the same time
preliminary experimental study, two victim machines running                       False   Negative    FN             Attack occurs and no alarm
on Windows XP operating systems are used for the                                  Rate                               raised in the same time
experimentation. The traffic generators of other hosts machines
and different users who are using different applications and                      Table III shows the final results using the following
internet are simulated.                                                    measurements to validate the performance of HSIDS [27]:
    A set of validating data is gathered from the two victim                        Precision measure: It represents the occurring of an
machines and from the network. First, we trained anomaly                             attack and in the same time this attack is correctly
detection systems to one of the following attacks                                    detected. It is computed as:
categorizations: (Probing “PRB”, User to Root “U2R”, Denial
of Service “DOS”, Remote to Local “R2L”) as shown in Table                                             Precision = TP / (TP+FP).
I. The following step is to provide the test data containing 92
                                                                                    Recall measure: It represents the occurring of an attack
unlabeled instances of attacks without predefining 22 of these
                                                                                     and in the same time detecting attacks from the really
attacks in the training data stage.
                                                                                     attacks. It is computed as:
                                                                                                        Recall = TP / (TP + FN)

                                                                     311                                   http://sites.google.com/site/ijcsis/
                                                                                                           ISSN 1947-5500
                                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 8, No. 4, July 2010
       Detection Rate: It represents the ratio between the total           compare its performance efficiency with other IDSs under
        attack number and the total detecting number of                     different conditions.
       The false alarm measure: It represents the occurring of                                       REFERENCES
        attack and in the same time the system could not                    [1]    Bishop, M., Computer Security: Art and Science, Addison-
        correctly detect it or the attack happens. It is computed                  Wesley, Boston, MA, 2003.
        as:                                                                 [2]    Seymour Bosworth, M.E. Kabay, Computer Security
                                                                                   Handbook, 4th ed., John Wiley & Sons, 2002.
         The false alarm = (FP + FN) / (TP + FP + FN + TN)                  [3]    Marcus A. Maloof, Machine Learning and Data Mining for
                                                                                   Computer Security: Methods and Applications, Springer-
                                                                                   Verlag London Limited, 2006.
                                                                            [4]    Philip K. Chan, Richard P. Lippmann, "Machine Learning for
   Categorization    Detection    False      Precision   Recall                    Computer Security,” Journal of Machine Learning Research,
                       Rate       Alarm                                            vol. 7, pp. 2669-2672, 2006.
        Normal      95.19%       4.81%      88.24        98.21              [5]    Sathish Alampalayam P. Kumar, Anup Kumar, and S.
                                                                                   Srinivasan, “Statistical Based Intrusion Detection Framework
          PRB       96.78        3.22%      83.43        88.81
                                                                                   using Six Sigma Technique,” IJCSNS International Journal of
          U2R       84.65%       16.35%     78.94        74.3                      Computer Science and Network Security, vol.7, no.10, October
          DOS       97.62%       2.38%      98.12        98.54              [6]    (2003) Joe Bowling, "The Future of IDS”. [Online]. Available:
          R2L       61.02%       38.98%     83.22        10.41                     http://www.infosecwriters.com/texts.php?op=display&id=115
                                                                            [7]    http://www.winpcap.org/docs/docs31/html/group__NPF.html
                                                                            [8]    Bace R.G., “Intrusion Detection,” Indianapolis, USA,
         From the results, it is shown that the HSIDS is                           Macmillan Technical Publishing, 2000.
suitable for detecting errors that are predefined and not                   [9]    M.Otey, R. Noronha, G.Li, S. Parthasarathy, and D. Panda,
predefined in the database. Also, it can achieve a very good                       “NIC-based Intrusion Detection: A feasibility study,”
overall accuracy in detecting attacks.                                             Proceedings of the IEEE ICDM Workshop on Data Mining for
                                                                                   Cyber Threat Analysis, December 2002.
                                                                            [10]   M. Otey, S. Parthasarathy, A. Ghoting, G. Li, S. Narravula, and
            VI.     CONCLUSION AND FUTURE WORK                                     D. Panda, “Towards NIC based intrusion detection,” in
    It's very obvious that IDSs are gaining more importance by                     Proceedings of the ninth ACM SIGKDD international
the day due to the used applied technologies applied through it                    conference on Knowledge discovery and data mining, pp. 723–
regarding to the respond to attacks, and the capability of                         728. ACM, ACMPress, NY, USA, Aug. 2003
identifying the origin of these attacks. High data flow rate is a           [11]   Yossi Amir, Gilad Gat, Elan Pavlov, Yaron Weinsberg, Sharon
ruthless enemy and may greatly affect the performance of IDS,                      Wulff, "Putting it on the NIC: A Case Study on application
                                                                                   offloading to a Network Interface Card," Consumer
especially large packets.
                                                                                   Communications and Networking Conference CCNC 2006.
    In this paper, a new hybrid IDS called HSIDS in which its               [12]    O1-Anton Chuvakin, Five IDS MisHSIDSes People Mak.
capturing capability depends upon reading bytes from the NIC                       [Online]. Available:
is proposed and implemented. Its capturing method depends on                       http://www.computerworld.com/securitytopics/security/story/0,
embedding the capturing module in the protocols stack so that                      10801,78670,00.html?SKC=security-78670
the packet can be passed by the capturing module to the upper               [13]   Bace R.G., “An introduction to intrusion detection and
protocol layer depending on where the capturing module is                          assessment for system and network security management,”
                                                                                   ICSA Intrusion Detection Systems Consortium Technical
added in the protocol stack. In other meaning, HSIDS
                                                                                   Report, 1999.
combines heuristic and signature based detection approaches.
                                                                            [14]   Matthew V. Mahoney and Philip K. Chan, “PHAD: Packet
HSIDS's structured is layered which improves its capabilities in                   header anomaly detection for identifying hostile network
detecting bugs fast and easily. It is easy to upgrade HSIDS's                      traffic,” Technical Report, Florida Tech., 2001.
protocols parsing classes and integrate it into most of other               [15]   K. Yamanishi, J. Takeuchi, G. Williams, and P. Milne, “On-
projects in very easily matter because it does not depend on any                   line unsupervised oultlier detection using finite mixtures with
external applications.                                                             discounting learning algorithms,” In KDD, pages 320–324,
    HSIDS is tested itself by giving infrastructure to craft fake                  Boston, MA, 2000.
                                                                            [16]   Eleazar Eskin, Andrew Arnold, Michael Prerau, Leonid
packets then launching fake packets towards HSIDS where
                                                                                   Portnoy, and Sal Stolfo., “A geometric framework for
HSIDS succeeds in detecting the attack embedded in the                             unsupervised anomaly detection: Detecting intrusions in
packet. HSIDS is tested through an experimental study where                        unlabeled data,” Data Mining for Security Applications, 2002.
the results show that it is suitable for detecting errors that are          [17]   Jake Ryan, Meng-Jang Lin, and Risto Miikkulainen, “Intrusion
predefined and not predefined in the database with achievement                     detection with neural networks,” In Proceedings of AAAI-97
a very good overall accuracy in detecting attacks.                                 Workshop on AI Approaches to Fraud Detection and Risk
   As a future work, we plane to investigate the performance                       Management, pages 72–77, AAAI Press, 1997.
                                                                            [18]   (2010)      homepage     of Snort. [Online].         Available”
of IDS in details using a suitable database of attacks and

                                                                      312                                 http://sites.google.com/site/ijcsis/
                                                                                                          ISSN 1947-5500
                                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 8, No. 4, July 2010
[19]   M. Ali Aydın, A. Halim Zaim, K. Gokhan Ceylan, “A hybrid
       intrusion detection system design for computer network
       security,” Computers and Electrical Engineering 35, 517–526,
[20]   Roesch M., “Snort – lightweight intrusion detection for
       networks,” In Proceedings of the 13th LISA Conference of
       USENIX Association, 1999.
[21]   M. Mahoney and P. Chan, “Learning nonstationary models of
       normal network traffic for detecting novel attacks,” In
       SIGKDD, 2002.
[22]   D. Schuff, V. Pai, P. Willmann and S. Rixner, “Parallel
       Programmable Ethernet Controllers: Performance and
       Security,” IEEE Network, 2007.
[23]   A. Gulati D. K. Panda P. Sadayappan and P.Wyckoff, “NIC-
       based rate control for proportional bandwidth allocation in
       myrinet clusters,” In Int’l Conference on Parallel Processing,
[24]   Markham, T. and Payne, C., “Security at the network edge: a
       distributed firewall architecture,” In DARPA Information
       Survivability Conference & Exposition II, 2001.
[25]   Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A.,
       Yang, H., and Zhou, S., ”Specification-based anomaly
       detection: a new approach for detecting network intrusions,” In
       Proceedings of the 9th ACM conference on Computer and
       communications security, ACM Press, pp. 265–274, 2002.
[26]   Tombini, E., Debar, H., M´E, L., and Ducass´ E, M., “A serial
       combination of anomaly and misuse IDSes applied to HTTP
       traffic,” In 20th Annual Computer Security Applications
       Conference, 2004.
[27]   G. Helmer, J.S.K. Wong, V. Honavar, and L. Miller,
       “Automated discovery of concise predictive rules for intrusion
       detection,” Journal of Systems and Software, Vol. 60, Issue 3,
       pp. 165–175, 2002.

                                                                      313                              http://sites.google.com/site/ijcsis/
                                                                                                       ISSN 1947-5500

To top