A Wavelet Approach to Network Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

A Wavelet Approach to Network Intrusion Detection

Description:

A Wavelet Approach to Network Intrusion Detection W. Oblitey & S. Ezekiel IUP Computer Science Dept. Intrusion Detection: Provides monitoring of system resources to ... – PowerPoint PPT presentation

Number of Views:229
Avg rating:3.0/5.0
Slides: 77
Provided by: IUP51
Learn more at: http://web.cecs.pdx.edu
Category:

less

Transcript and Presenter's Notes

Title: A Wavelet Approach to Network Intrusion Detection


1
A Wavelet Approach to Network Intrusion Detection
  • W. Oblitey S. Ezekiel
  • IUP Computer Science Dept.

2
Intrusion Detection
  • Provides monitoring of system resources to help
    detect intrusion and/or identify attacks.
  • Complimentary to blocking devices.
  • Insider attacks.
  • Attacks that use traffic permitted by the
    firewall.
  • Can monitor the attack after it crosses through
    the firewall.
  • Helps gather useful information for
  • Detecting attackers,
  • Identifying attackers,
  • Reveal new attack strategies.

3
Classification
  • Intrusion Detection Systems classified according
    to how they detect malicious activity
  • Signature detection systems
  • Also called Misuse detection systems
  • Anomaly detection systems
  • Also classified as
  • Network-based intrusion detection systems
  • Monitor network traffic
  • Host-based intrusion detection systems.
  • Monitor activity on host machines

4
Signature Detection
  • Achieved by creating signatures
  • Models of attack
  • Monitored events compared to models to determine
    qualification as attacks.
  • Excellent at detecting known attacks.
  • Requires the signatures to be created and entered
    into the sensors database before operation.
  • May generate false alarms (False Positives).
  • Problem
  • Needs a large number of signatures for effective
    detection.
  • The database can grow very massive.

5
Anomaly Detection
  • Creates a model of normal use and looks for
    activity that does not conform to the model.
  • Problems with this method
  • Difficulty in creating the model of normal
    activity
  • If the network already had malicious activity on
    it, is it normal activity?
  • Some patterns classified as anomalies may not be
    malicious.

6
Network-Based IDS
  • By far the most commonly employed form of
    Intrusion Detection Systems.
  • To many people, IDS is synonymous with NIDS.
  • Matured more quickly than the host-based
    equivalents.
  • Large number of NIDS products available on the
    market.

7
Deploying NIDS
  • Points to consider
  • Where do sensors belong in the network?
  • What is to be protected the most?
  • Which devices hold critical information assets?
  • Cost effectiveness
  • We cannot deploy sensors on all network segments.
  • Even not manageable.
  • We need to carefully consider where sensors are
    to be deployed.

8
Locations for IDS Sensors
  • Just inside the firewall.
  • The firewall is a bottleneck for all traffic.
  • All inbound/outbound traffic pass here.
  • The sensor can inspect all incoming and outgoing
    traffic.
  • On the DMZ.
  • The publicly reachable hosts located here are
    often get attacked.
  • The DMZ is usually the attackers first point of
    entry into the network.
  • On the server farm segment.
  • We can monitor mission-critical application
    servers.
  • Example Financial, Logistical, Human Resources
    functions.
  • Also monitors insider attacks.
  • On the network segments connecting the mainframe
    or midrange hosts.
  • Monitor mission-critical devises.

9
The Network Monitoring Problem
  • Network-based IDS sensors employ sniffing to
    monitor the network traffic.
  • Networks using hubs
  • Can monitor all packets.
  • Hubs transmit every packet out of every connected
    interface.
  • Switched networks
  • The sensor must be able to sniff the passing
    traffic.
  • Switches forward packets only to ports connected
    to destination hosts.

10
Monitoring Switched Networks
  • Use of Switch Port Analyzer (SPAN)
    configurations.
  • Causes switch to copy all packets destined to a
    given interface.
  • Transmits packets to the modified port.
  • Use of hubs in conjunction with the switches.
  • The hub must be a fault-tolerant one.
  • Use of taps in conjunction with the switches.
  • Fault-tolerant hub-like devices.
  • Permit only one-way transmission of data out of
    the monitoring port.

11
NIDS Signature Types
  • These look for patterns in packet payloads that
    indicate possible attacks.
  • Port signatures
  • Watch for connection attempts to a known or
    frequently attacked ports.
  • Header signatures
  • These watch for dangerous or illogical
    combinations in packet headers.

12
Network IDS Reactions Types
  • Typical reactions of network-based IDS with
    active monitoring upon detection of attack in
    progress
  • TCP resets
  • IP session logging
  • Shunning or blocking
  • Capabilities are configurable on per-signature
    basis
  • Sensor responds based on configuration.

13
TCP Reset Reaction
  • Operates by sending a TCP reset packet to the
    victim host.
  • This terminates the TCP session.
  • Spoofs the IP address of the attacker.
  • Resets are sent from the sensors
    monitoring/sniffing interface.
  • It can terminate an attack in progress but cannot
    stop the initial attack packet from reaching the
    victim.

14
IP Session Logging
  • The sensor records traffic passing between the
    attacker and the victim.
  • Can be very useful in analyzing the attack.
  • Can be used to prevent future attacks.
  • Limitation
  • Only the trigger and the subsequent packets are
    logged.
  • Preceding packets are lost.
  • Can impact sensor performance.
  • Quickly consumes large amounts of disk space.

15
Shunning/Blocking
  • Sensor connects to the firewall or a
    packet-filtering router.
  • Configures filtering rules
  • Blocks packets from the attacker
  • Needs arrangement of proper authentication
  • Ensures that the sensor can securely log into the
    firewall or router.
  • A temporary measure that buy time for the
    administrator.
  • The problem with spoofed source addresses.

16
Host-based IDS
  • Started in the early 1980s when networks were not
    do prevalent.
  • Primarily used to protect only critical servers
  • Software agent resides on the protected system
  • Signature based
  • Detects intrusions by analyzing logs of operating
    systems and applications, resource utilization,
    and other system activity
  • Use of resources can have impact on system
    performance

17
HIDS Methods of Operation
  • Auditing logs
  • system logs, event logs, security logs, syslog
  • Monitoring file checksums to identify changes
  • Elementary network-based signature techniques
    including port activity
  • Intercepting and evaluating requests by
    applications for system resources before they are
    processed
  • Monitoring of system processes for suspicious
    activity

18
Log File Auditing
  • Detects past activity
  • Cannot stop the action that set off the alarm
    from taking place.
  • Log Files
  • Monitor changes in the log files.
  • New entries for changes logs are compared with
    HIDS attack signature patterns for match
  • If match is detected, administrator is alerted

19
File Checksum Examination
  • Detects past activity
  • Cannot stop the action that set off the alarm
    from taking place.
  • Hashes created only for system files that should
    not change or change infrequently.
  • Inclusion of frequently changing files is a huge
    disturbance.
  • File checksum systems, like Tripwire, may also be
    employed.

20
Network-Based Techniques
  • The IDS product monitors packets entering and
    leaving the hosts NIC for signs of malicious
    activity.
  • Designed to protect only the host in question.
  • The attack signatures used are not as
    sophisticated as those used in NIDs.
  • Provides rudimentary network-based protections.

21
Intercepting Requests
  • Intercepts calls to the operating system before
    they are processed.
  • Is able to validate software calls made to the
    operating system and kernel.
  • Validation is accomplished by
  • Generic rules about what processes may have
    access to resources.
  • Matching calls to system resources with
    predefined models which identify malicious
    activity.

22
System Monitoring
  • Can preempt attacks before they are executed.
  • This type of monitoring can
  • Prevent files from being modified.
  • Allow access to data files only to a predefined
    set of processes.
  • Protect system registry settings from
    modification.
  • Prevent critical system services from being
    stopped.
  • Protect settings for users from being modified.
  • Stop exploitation of application vulnerabilities.

23
HIDS Software
  • Deployed by installing agent software on the
    system.
  • Effective for detecting insider-attacks.
  • Host wrappers
  • Inexpensive and deployable on all machines
  • Do not provide in-depth, active monitoring
    measures of agent-based HIDS products
  • Sometimes referred to as personal firewalls
  • Agent-based software
  • More suited for single purpose servers

24
HIDS Active Monitoring Capabilities
  • Options commonly used
  • Log the event
  • Very good for post mortem analysis
  • Alert the administrator
  • Through email or SNMP traps
  • Terminate the user login
  • Perhaps with a warning message
  • Disable the user account
  • Preventing access to memory, processor time, or
    disk space.

25
Advantages of Host-based IDS
  • Can verify success or failure of attack
  • By reviewing log entries
  • Monitors user and system activities
  • Useful in forensic analysis of the attack
  • Can protect against non-network-based attacks
  • Reacts very quickly to intrusions
  • By preventing access to system resources
  • By immediately identifying a breach when it
    occurs
  • Does not rely on particular network
    infrastructure
  • Not limited by switched infrastructures
  • Installed on the protected server itself
  • Does not require additional hardware to deploy
  • Needs no changes to the network infrastructure

26
Active/Passive Detection
  • The ability of an IDS to take action when they
    detect suspicious activity.
  • Passive Systems
  • Take no action to stop or prevent the activity.
  • They log events.
  • They alert administrators.
  • They record the traffic for analysis.
  • Active Systems
  • They do all the recordings that passive systems
    do,
  • They interoperate with firewalls and routers
  • Can cause blocking or shunning
  • They can send TCP resets.

27
Our Approach
  • We present a variant but novel approach of the
    anomaly detection scheme.
  • We show how to detect attacks without the use of
    data banks.
  • We show how to correlate multiple inputs to
    define the basis of a new generation analysis
    engine.

28
Signals and signal Processing
  • Signal definition
  • A function of independent variables like time,
    distance, position, temperature, and pressure.
  • Signals play important part in our daily lives
  • Examples speech, music, picture, and video.
  • Signal Classification
  • Analog the independent variable on which the
    signal depends is continuous.
  • Digital the independent variable is discrete.
  • Digital signals are presented a a sequence of
    numbers (samples).
  • Signals carry information
  • The objective of signal processing is to extract
    this useful information.

29
Energy of a Signal
  • We can also define a signal as a function of
    varying amplitude through time.
  • The measure of a signals strength is the area
    under the absolute value of the curve.
  • This measure is referred to as the energy of the
    signal and is defined as
  • Energy of continuous signal
  • Energy of discrete signal

30
What is Wavelet? ( Wavelet Analysis)
  • Wavelets are functions that satisfy certain
    mathematical requirements and are used to
    represent data or other functions
  • Idea is not new--- Joseph Fourier--- 1800's
  • Wavelet-- the scale we use to see data plays an
    important role
  • FT non local -- very poor job on sharp spikes

Wavelet db10
Sine wave
31
History of wavelets
  • 1807 Joseph Fourier- theory of frequency
    analysis-- any 2pi functions f(x) is the sum of
    its Fourier Series
  • 1909 Alfred Haar-- PhD thesis-- defined Haar
    basis function---- it is compact support( vanish
    outside finite interval)
  • 1930 Paul Levy-Physicist investigated Brownian
    motion ( random signal) and concluded Haar basis
    is better than FT
  • 1930's Littlewood Paley, Stein gt calculated the
    energy of the function 1960 Guido Weiss, Ronald
    Coifman-- studied simplest element of functions
    space called atom
  • 1980 Grossman (physicist) Morlet( Engineer)--
    broadly defined wavelet in terms of quantum
    mechanics
  • 1985 Stephen Mallat--defined wavelet for his
    Digital Signal Processing work for his Ph.D.
  • Y Meyer constructed first non trivial wavelet
  • 1988 Ingrid Daubechies-- used Mallat work
    constructed set of wavelets
  • The name emerged from the literature of
    geophysics, by a route through France. The word
    onde led to ondelette. Translation wave led to
    wavelet

32
Fourier Series and Energy
33
Functions
  • Functions (Science and Engg) often use time as
    their parameter
  • g(t)-gt represent time domain
  • since typical function oscillate think it as
    wave so G(f) where f frequency of the wave, the
    function represented in the frequency domain
  • A function g(t) is periodic, there exits a
    nonzero constant P s.t. g(tP)g(t) for all t,
    where P is called period
  • periodic function has 4 important attributes
  • Amplitude max value it has in any period
  • Period---2P
  • Frequency f1/P(inverse) cycles per second, Hz
  • PhaseCos is a Sin function with a phase

34
Fourier, Haar
  • Amplitude, time ? amplitude , frequency
  • 1965 Cooley and Tukey Fast Fourier Transform
  • Haar

35
CWT
  • continuous wavelet transform (CWT) of a function
    f(t) a mother wavelet
  • mother wavelet may be real or complex with the
    following properties
  • 1.the total area under the curve0,
  • 2. the total area of is finite
  • 3. Admissible condition
  • oscillate above and below the t-axis
  • energy of the function is finite? function is
    localize
  • Infinite number of functions satisfies above
    conditions some of them used for wavelet
    transform
  • example
  • Morlet wavelet
  • Mexican hat wavelet

36
  • once a wavelet has been chosen , the CWT of a
    square integrable function f(t) is defined as
  • denotes
    complex conjugate
  • For any a,
  • Thus b is a translation parameter
  • Setting b0,
  • Here a is a scaling parameter
  • agt1? stretch the wavelet and 0ltalt1 shrink it

37
Wavelets
Fourier Transform
CWT C( scale, position)
Scaling wave means simply Stretching
(or Shrinking) it
Shifting f (t) f(t-k)
38
Wavelets Continue
  • Wavelets are basis functions in
    continuous time
  • A basis is a set of linearly independent function
    that can be used to produce a function f(t)
  • f(t) combination of basis function
  • is constructed from a single mother
    wave w(t) -- normally it is a small wave-- it
    start at 0 and ends at tN
  • Shrunken ( scaled)
  • shifted
  • A typical wavelet compressed j times
    and shifted k times is
  • Property- Remarkable property is orthogonality
    i.e. their inner-products are zero
  • This leads to a simple formula for bjk

39
  • Haar Transform
  • Digitized sound, image are discrete. ? we need
    discrete wavelet
  • where ck and dj,k are coefficients to be
    calculated
  • example- consider the array of 8 values
    (1,2,3,4,5,6,7,8)
  • 4 average values? 4 difference ( detail
    coefficients)
  • calculate average, and difference for 4 averages
  • continue this way
  • Method is called PYRAMID DECOMPOSITION
  • Haar transform depends on coeff ½, ½ and ½, -
    ½
  • if we replace 2 by v2 then it is called coarse
    detail and fine detail

40
Transforms
  • Transform of a signal is a new representation of
    that signal
  • Example- signal x0,x1,x2,x3 define
    y0,y1,y2,y3
  • Questions
  • 1. What is the purpose of y's
  • 2. Can we get back x's
  • Answer for 2 The Transform is invertible--
    perfect reconstruction
  • Divide Transform in to 3 groups
  • 1. Lossless( Orthogonal)-- Transformed Signal has
    the same length
  • 2. Invertible (bi-orthogonal)-- length and angle
    may change-- no information lost
  • 3. Lossy ( Not invertible)--

41
Answer to Q1 Purpose
  • IT SEES LARGE vs SMALL
  • X01.2, X1 1.0, x2-1.0, x3-1.2
  • Y2.2 0 -2.2 0
  • Key idea for wavelets is the concept of " SCALE"
  • We can take sum and difference againgt recursion
    gt Multiresolution
  • Main idea of Wavelet analysis analyze a function
    at different scales mother wavelet use to
    construct wavelet in different scale and
    translate each relative to the function being
    analyzed
  • Z 0 0 4.4 0
  • Reconstruct gtcompression 41

42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
  • Real electricity consumption
  • peak in the center, followed by two drops,
    shallow drop, and then a considerably weaker peak
  • d1 d2 shows the noise
  • d3 presents high value in the beginning and at
    the end of the main peak, thus allowing us to
    locate the corresponding peak
  • d4 shows 3 successive peak this fits the shape
    of the curve remarkably
  • a1,a2 strong resemblance
  • a3 reasonable---- a4 lost lots of information

50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
  • JPEG (Joint Photographic Experts Group)
  • 1. Color images ( RGB) change into luminance,
    chrominance, color space
  • 2. color images are down sampled by creating low
    resolution pixels not luminance part
    horizontally and vertically, ( 21 or 21, 11)
    1/3 (2/3)(1/4) ½ size of original size
  • 3. group 8x8 pixels called data sets if not
    multiple of 8 bottom row and right col are
    duplicated
  • 4. apply DCT for each data set 64 coefficients
  • 5. each of 64 frequency components in a data unit
    is divided by a separate number called
    quantization coefficients (QC) and then rounded
    into integer
  • 6. QC encode using RLE, Huffman encoding,
    Arithmetic Encoding ( QM coder)
  • 7. Add Headers, parameters, and output the result
  • interchangeable format compressed data all
    tables need for decoder
  • abbreviated format compressed data not tables (
    few tables)
  • abbreviated format just tables no compressed
    data
  • DECODER DO THE REVERSE OF THE ABOVE STEPS

55
  • JPEG 2000 or JPEG Y2k
  • divide into 3 colors
  • each color is partitioned into rectangular,
    non-overlapping regions called tiles that are
    compressed individually
  • A tile is compressed into 4 main steps
  • 1. compute wavelet transform sub band of
    wavelets integer, fp,---L1 levels, L is the
    parameter determined by the encoder
  • 2. wavelet coeff are quantized, -- depends on
    bit rate
  • 3. use arithmetic encoder for wavelet
    coefficients
  • 4. construct bit stream do certain region, no
    order
  • Bit streams are organized into layers, each
    layer contains higher resolution image
    information
  • thus decoding layer by layer is a natural way to
    achieve progressive image transformation and
    decompression

56
(No Transcript)
57
(No Transcript)
58
A
H
D
V
59
(No Transcript)
60
Lowpass Filter Moving Average
  • y(n) x(n)/2 x(n-1)/2 here h(0)1/2 and
    h(1)1/2
  • Fits standard form for k0,1 x unit impulse
  • x(...0 0 0 0 1 0 0 0...) then y(...0 0 1/2
    1/2 0 0..)
  • average filter 1/2 (identity) 1/2 (delay)
  • Every linear operator acting on a single vector x
    can be rep by yHx
  • main diagonal come from identity--subdiagonal
    come from delay
  • we have finite (two) coefficients--gt FIR finite
    impulse response
  • low passgt scaling function
  • It smooth out bumps in the signal(high freq
    component

61
Highpass Filter Moving Difference
  • y(n) 1/2x(n)-x(n-1)
  • h(0)1/2
  • h(1)-1/2
  • yH1x
  • Filter Bank Lowpass and Highpass
  • they separate the signal into frequency bank
  • Problem-- Signal length doubled,
  • both are same size as signal gt gives double
    size of the original signal
  • Solution-- Down Sampling

62
Down Sampling
  • We can keep half of Ho and H1 and still recover x
  • Save only even-numbered components ( delete odd
    numbered elements) -- denoted by (?2)--
    decimation
  • (?2)y (... y(-4) y(-2)y(0)y(2).......)
  • Filtering Down sampling gt Analysis Bank (
    brings half size signal)
  • Inverse of this processgt Synthesis bank
  • i,e, Up sampling Filtering
  • Add even numbered components zeros ( It will
    bring full size) denoted by (?2)
  • y (?2 y) (?2)(?2 y)

63
Scaling function and Wavelets
  • corresponding to low pass--gt there is scaling
    function
  • corresponding to high pass--gt there is wavelet
    function
  • dilation equation--gt scaling function
  • In terms of original low pass filters
  • we have
  • for h(0) and h(1) 1/2 we have
  • the graph compressed by 2 gives
    and shifted by 1/2 gives
  • By similar way the wavelet equation

64
Wavelet Packet
  • Walsh-Hadamard transform-- complete binary tree
    --gt wavelet packet
  • "Hadamard matrix"gt all entries are 1 and -1 and
    all rows are orthogonal-- divide two time by
    sqrt(2)gt orthogonal symmetric
  • Compare with wavelet-- computations

sums z00
sums y0 and y2
difference z24.4
x
sums z10.4
difference y1 and y3
difference z30
65
Filters and Filter Banks
  • Filter is a linear time-invariant operator
  • It acts on input vector x --- Out put vector y is
    the convolution of x with a fixed vector h
  • h--gt contains filter coefficients-- our filters
    are digital not analog-- h(n) are discrete time
    t nT,
  • T is sampling period assume it is 1 here
  • x(n) and y(n) comes all the time t 0, _ 1....
  • y(n) Sh(k) x(n-k) convolution h x in the
    time domain
  • Filter Bank Set of all filters
  • Convolution by hand--- arrange it as ordinary
    multiplication -- but don't carry digits from one
    column to another
  • x 3 2 4 h 1 5 2
  • x h 3 17 20 24 8

66
Our Network Topology
  • We set up a star topology network
  • Four computers in an island
  • Each running Linux RedHat 9.2
  • The machines are connected by a switch
  • The switch is connected to a PIX 515E Firewall
  • 3Com Ethernet Hub sits between the switch and the
    firewall
  • For Sniffing and capturing packets
  • We duplicated this island six times and connected
    them with routers.
  • We then connected the islands, via the routers,
    to a central Cisco switch.
  • For simulation purposes, we installed Windows XP
    on one machine in island one.

67
Data Collection
  • We generated packets with a Perl script on a
    Linux system.
  • We used the three most common protocols for our
    simulation
  • HTTP, FTP, and SMTP.
  • For each protocol
  • We generated a constant traffic
  • We created 50 datasets each consisting of the
    number of packets transmitted over two minute
    intervals.
  • We executed the same traffic scripts with a
    random pause between 0 and 60 seconds.
  • We then rerun the traffic between 0 and 15
    seconds to create additional datasets.
  • We collected all the 150 datasets by Ethereal for
    further analysis.

68
Results Figure 1
69
Figure 2
70
Figure 3
71
Figure 4
72
Figure 5
73
Figure 6
74
Conclusion Future Direction
  • We have presented
  • A wavelet based framework for network
    monitoring
  • This is our first phase for the development of an
    engine for Network Intrusion Analysis
  • This will not depend on databases and thus will
    minimize false negatives and false positives

75
References
  • 1 K. Ilgun, A real-time intrusion detection
    system for UNIX, IEEE Symp. On Security and
    Privacy, 1993.
  • 2 P.Porras R. Kemmerer, Penetration State
    Transition Analysis- A Rule Based Intrusion
    Detection Approach, Computer Security
    Applications Conference, 1992
  • 3http//enterprisesecurity.symantec.com/content/
    productlink.cfm
  • 4 http//newsroom.cisco.com/dlls/fspnisapi32b3.h
    tml
  • 5 http//www.iss.net
  • 6 A.Haar. Zur Theorie der orthogonalen
    Funktionensysteme. Mathematische Annalen,
    69331-371, 1910. Also in PhD thesis.
  • 7A. Grossmann and J. Morlet, Decomposition of
    Hardy functions into square integrable wavelets
    of constant shape, SIAM J. Math. Phys., 15
    (1984), pp 723-736.
  • 8 Y.Meyer. Ondeletted et operatrurs, Tome 1,
    Hermann Ed., 1990

76
References
  • 9 S. Mallat. A theory for multiresolution
    signal decomposition the wavelet representation.
    IEEE Transactions on pattern recognition and
    Machine Intelligence, 11(7)674-693, July 1989.
  • 10I. Daubechies, Ten Lectures on Wavelets, no
    61 in CBMS-NSF Series in Applied Mathematics,
    SIAM, Philadelphia, 1992
  • 11R. R. Coifman, A real variable
    characterization of Hp, Studia Math, 51 (1974).
  • 12 R. R. Coifman, Y. Meyer, S. Quake, and M.V.
    Wickerhauser, Signal Processing and compression
    with wave packets, in Proceedings of the
    International Conference on Wavelets, Marseilles,
    1989, Y. Meyer, ed., Masson, Paris.
  • 13S. Ezekiel, Low-dimensional chaotic signal
    characterization using approximate entropy, 3rd
    IASTED International Conference Circuits,
    Signals, and Systems Cancun, May, 2003
  • 14 S. Ezekiel, Heart Rate Variability Signal
    Processing by Using Wavelet Based Multifractal
    Analysis, IASTED International Conference,
    Digital Signal Processing and Control, USA, May ,
    2001
  • 15C.E.Shannon "A Mathematical Theory of
    Communication", Bell Syst. Tech. J., 27,379-423,
    623-56.
Write a Comment
User Comments (0)
About PowerShow.com