Docstoc

Artificial Immune System as Intrusion Detection System - 110mb

Document Sample
Artificial Immune System as Intrusion Detection System - 110mb Powered By Docstoc
					Anomaly Based Network Intrusion
Detection Systems for Prevention of
     DDoS Attacks- A Survey

             Bisma Hashmi
             Mehrin Kiani
             M. Fateh Khan
             M. Zubair Shafiq
      Network Intrusion Detection
• Signature Based NID Systems
• Anomaly Based NID Systems
• Hybrid NID Systems

                                              IDS

                      Anomaly               Signature                     Hybrid




  Statistical   Rule-based      AIS   ANN             State      Expert
                                                    Transition   system

                                                                                   2
   Anomaly-based NID Systems
• Define a profile describing “normal” behavior
   – Works best for “small”, well-defined systems (single
     program rather than huge multi-user OS)
• Profile may be statistical
   – Build it manually (this is hard)
   – Use machine learning and data mining techniques
      • Log system activities for a while, then “train” IDS to recognize
        normal and abnormal patterns
   – Risk: attacker trains IDS to accept his activity as
     normal
• IDS flags deviations from the “normal” profile

                                                                       3
Biological Immune System
             (Immunity)
        Biological Immune System
               (Immunity)
• Ability of an organism to
  resist attacks by invasive
  foreign substances.
• foreign substance -> a
  pathogen -> antigen (Ag)
• IS is able to distinguish
  self from non-self
• white blood cells ->
  lymphocytes-> anti-body
  (Ab)

                                   5
          Lymphocytes (Ab)
• Ags have a variety of epitopes on different
  areas of their surface
• Lymphocytes are a dormant population
• Await appropriate signals to be stirred into
  action



                                                 6
                 Binding
• The Ag will only bind to those Ab(s) with
  which it makes a good fit,the way a key fits
  into a lock
• When Ag binds to an Ab, lymphocyte
  receives a triggering signal and start
  producing Ab(s)
• IS is capable of recognizing virtually any
  pathogen that may exist in this universe
                                                 7
           Negative Selection
• Autoimmune lymphocytes may tend to recognize
  body’s own cells as antigens
• Lymphocytes mature in thymus once created
• Only those mature that do not detect self-cells
                      Thymus Action



          Immature        Self-       No   Mature
           Detector      match?            Detector


                             Yes

                        Apoptosis
                                                      8
Affinity Maturation




                      9
Artificial Immune System
An Immunological Model of
   Distributed Detection
    U = S U N, S Π N = φ




                            11
             Constituents of AIS
• Detectors
• Peptide (Epitope/Paratope) Representation
• Matching
   – Hamming distance matching
   – r-contiguous matching
• Tolerization
   – Negative Selection
• Affinity Maturation
   – Colonal Proliferation
   – Somatic Hypermutation
• Costimulation
                                              12
                    Detector
       Lymphocyte
                               Detector
        Antibody




• Lymphocyte and Antibody are merged as
  detector


                                          13
             Peptide Representation
•   Strings
•   Length of String (N)
•   Cardinality (m)
•   Fields
    STRING                                    ….…

    INDEX     1   2   3   4   5   6   7   8         N-1   N




                                                              14
 Base Representation Of Patterns
• For TCP-SYN Packets
  Bits    Field    Field Description
          Length
          (bits)
  1-8     8        LSB of Server’s IP
  9-40    32       Client IP
  41      1        Server Flag
  42-49   8        Type Of Service
                                        15
          Detector Characteristics
Field              Possible Values

State              Immature, mature, memory, dead


Activation Level   α

Peptide            N bits

Age                0-Tdeath

Antigen            a
                                               16
                     Matching
                HAMMING distance
                Matching
                (bit-wise Matching)           L=16


            1 1 0 0 0 1 0 0 1 1 1 0 0 1 0 1
                                               r=7

            0 0 1 1 0 0 0 1 0 1 1 0 1 1 0 0


Matching Criterion: If r ≤k , then matched


                                                 17
                     Matching

                  r-CONTIGUOUS
                  Matching
                  (bit-wise Matching)          L=16

             1 1 0 0 0 1 0 0 1 1 1 0 0 1 0 1
                                                 r=3

             0 0 1 1 0 0 0 1 0 1 1 0 1 1 0 0


Matching Criterion: If r ≤ k , then matched


                                                      18
                   Tolerization
• After initial population, new detectors are created through
  colonal proliferation and somatic hypermutation

• Valid detectors are those detectors which does not match
  self-agents during tolerization (maturation in thymus)

• Tolerization  Negative Selection




                                                                19
            Affinity Maturation
• Colonal Proliferation
   – Once a detector matches an antigen, it undergoes
     colonal proliferation
   – Multiple clones are formed


• Somatic Hypermutation
   – Replicated clones undergo single point mutation
   – Only those are selected whose affinity is greater or
     equal to original detector (acquired immunity)

                                                            20
               Costimulation

• Costimulation is provided by the system when the
  numbers of different detections increase a
  particular threshold.

• Affinity maturation of a detector starts only after
  costimulation is provided.

• Costimulation also provides a vital delay in attack
  detection/packet dropping, which is fundamental
  in avoiding false-positives.
                                                        21
Denial of Service (DoS)
       Denial of Service (DoS)
• Goal: overwhelm victim machine and deny
  service to its legitimate clients
• DoS often exploits networking protocols
   – Smurf: ICMP echo request to broadcast address with
     spoofed victim’s address as source
   – Ping of death: ICMP packets with payloads greater than
     64K crash older versions of Windows
   – SYN flood: “open TCP connection” request from a
     spoofed address
   – UDP flood: exhaust bandwidth by sending thousands of
     bogus UDP packets

                                                         23
Denial-of-service attack scenario




                                    24
   Distributed Denial of Service
              (DDoS)


• denial-of-service attacks performed from
  multiple subverted machines (agents).




                                             25
Distributed denial-of-service attack
             scenario




                                       26
    Distributed Denial of Service
               (DDoS)
• ATTACKER
  – master-mind behind the attack
• MASTER
  – Coordinates the attack
• ZOMBIES (Attack Daemons)
  – Conduct the attack
• VICTIM
  – Target host chosen to receive the attack
                                               27
DDoS Architecture
               Attacker




   Master machines




    Zombie machines



             Victim       28
      Distributed Denial of Service
                 (contd.)
• Attacker scans hundreds of thousands of computers on the
  Internet for known vulnerabilities and bottlenecks
• Turn vulnerable computers into “Control Master
  Programs”
   – Exploit vulnerabilities to gain root access, install attack and
     communication tools, use them for further scans.
• Form a distributed attack network from zombies
   – Choose a subset of compromised machines with desired network
     topology and characteristics and install daemon programs in it .
• Daemon agents (Zombies) stage a coordinated attack on
  the victim

                                                                        29
30
          Defense Against DDoS
• Source Identification
   – Only Locate Zombies
   • IP Traceback
   – determine the path traversed by attack packets
   • Link testing
        • Router installs a filter for attack traffic
   •   Traffic Filtering
   –   Filter incoming traffic on access routers
   –   limit certain traffic types (ICMP and SYN packets)
   –   Need to correctly measure normal rates first!


                                                            31
    Defense Against DDoS (contd.)

•   Disabling IP Broadcasts
•   Applying Security Patches
•   Disabling Unused Services
•   Performing Intrusion Detection



                                     32
    TCP Handshake
C                S
      SYNC           Listening…

                     Store data
                     (connection state, etc.)
    SYNS, ACKC


                     Wait

      ACKS



                     Connected

                                                33
            TCP SYN Flooding
• Send a stream of initial SYN’s without sending the
  corresponding ACK’s
• Victim server allocates resources for each request
   -limited buffer queue for new connections
• Once resources exhausted, requests from
  legitimate clients are denied
• classic denial of service (DoS) attack
   – costs nothing to TCP initiator to send a connection
     request, but TCP responder must allocate state for each
     request
                                                           34
SYN Flooding Attack
   SYNC1        Listening…
   SYNC2        Store data
   SYNC3        … and more data
   SYNC4         … and more

   SYNC5          … and more
                    … and more

                     … and more


                                  35
  Mapping between NID system and
           Biological IS
Immune System           Network Environment

Thymus                  Primary IDS that generates the detectors

Secondary Lymph Nodes   Local Hosts

Antibodies              Detectors

Antigens                Network Intrusions

Self                    Normal Activities

Non-self                Abnormal Activities


                                                                   36
SURVEY




         37
                Haystack
• Developed for multi-user environment at
  Department of Defense (USA)
• Caters for various types of intrusion
  detection attacks including DDoS attacks
• Hybrid of Signature based and Anomaly
  based
• Information is presented to System Security
  Officer (SSO) for final verification of
  intrusion
                                            38
                                       Haystack
                                                              INTRUSION
                                       Security
                                       Violation                     Investigating Human
                                                                           Analysis

         Security incident

                             Who: Subject/Object       When: Date/Time
                             What: Suspected Intrusion Type
                             Where: Location (Physical or Logical)
                             Relevant Events: Details, Summary Reports



                                    Haystack Processor
                                    on Analysis
                                Canonical Audit Trail (CAT)
Processed Inputs                          Events


                                    Haystack Pre-processor on
                                    Target System
                                Target System’s Audit Trail
    Raw Inputs                            Events
                                                                                           39
                  NIDES
• Started as IDES by SRI
• Statistical Anomaly based NID System
• In conjunction with Rule-based system
• Statistics such as frequencies, means and
  covariance represents a point in Sn space.
• If the distance between stored point and the
  audited point crosses a threshold then the
  audit is considered to be anomalous
                                             40
                                      NIDES
Targethost 1                                                   Targethost N

              Native format                                                       Native format
    Target      audit data                                           Target         audit data
   Auditing               agen                                      Auditing                  agen
   System                                                           System




                        NIDES format                                              NIDES format
                          audit data                                                audit data

                                                 Arpool

                        NIDES format                           NIDES format
                          audit data                             audit data

                      Statistical                                   Rulebased
                      Analysis                                       Analysis


                              Statistical                      Rulebase
                              Analysis Results                 Analysis Results
                                                 Resolver



                                                         Resolved
                                                         Analysis
                                                         Result

                                                   SSO                                               41
                Wisdom & Sense
• Two sub-systems
   – Wisdom
   – Sense
• Wisdom creates rules defining normal behavior
   – Rules are formed using trees
   – Default tree consists of all possible states
   – Tree is pruned using audit data to form SELF TREE
• Sense comprises of an expert system
   – Audit data is used to traverse the rule trees
   – Every time root is not reached, shows deviation from normal
     behavior
• If number of deviations per unit time increases than a
  threshold, anomaly is reported and consequent action is
  invoked
                                                                   42
              Comp-Watch
• Developed at AT&T labs SS Department
• Provides SSO with statistical data
• Not an automatic reactive system
• Decision left up to the administrator about
  further investigation
• More like a tool that tries to visualize and
  present data to SSO
                                                 43
                      DIDS
•    Distributed Intrusion Detection System
•    3 Major Components
    1. Host monitor (monitors events on host)
    2. LAN monitor (monitors network traffic on
       lan)
    3. Central DIDS director (brain for the whole
       system)
•    An expert system at Central DIDS director

                                                    44
                                  JiNao
•       Caters for both internal and external intrusions
•       Focuses on OSPF routing protocol
•       Work is done on 3 kinds of attacks affecting LSA packets
    –      Seq++ (increment of seq. No by 1)
    –      Maxage attack (LSA age is modified to maxage)
    –      Maxseq# attack (seq. No is set to 0x7fffffff, i.e. Max seq. No)
•       Comprises of several modules
    –      Interception
    –      Prevention
    –      Detection
    –      Statistical
    –      Protocol analysis
    –      Local decision
    –      Information abstraction modules

                                                                             45
              EMERALD
• Event Monitoring Enabling Responses to
  Anomalous Live Disturbances
• Detects malicious activities across large
  networks
• Hybrid of signature and anomaly
• Real-time protection
• Uses highly distributed, independently
  tunable surveillance and response monitors
                                               46
47
                Kim & Bently
• Artificial Immune System
• Proposed distributed model
• Local IDS
   – Detect local intrusions
   – Communicates with Network
• Secondary IDS
   – Network Intrusion Detection
• Proposed strings of length l and cardinality 10

                                                    48
                     LISYS
•   Hofemyr, Forrest (New Mexico)
•   AIS framework called ARTIS
•   Specialized for NID in LISYS
•   Monitoring of TCP-SYN packets
•   49-bit length, Cardinality=2
•   Tested using matching techniques
    – r contiguous
    – hamming
• Well documented!
                                       49
                            CIDS
•   Artificial Immune System
•   Williams
•   Processes Network traffic at packet level
•   Uses
    – TCP
    – UDP
    – ICMP
• Genetic algorithm for,
    – Affinity maturation
    – Costimulation

                                                50
                    DAIS
•   Matrin Thorsen Ranang (Norway)
•   Extension of LISYS
•   Distributed Model
•   Monitored only TCP-SYN packets
•   Affinity Maturation
    – Somatic Hypermutation
    – Colonal Proliferation
                                     51
              Conclusion

• Mechanisms in Biological IS when can be
  utilized for NID (Biological ISNID)
• AIS architecture for TCP-SYN flood based
  attacks
• Survey: Increasing trend of designing of
  hybrid systems

                                             52

				
DOCUMENT INFO