Using MIB II Variables for Intrusion Detection

1
Using MIB II Variables for Intrusion Detection

• Xinzhou Qin
• 12/04/2001

2
Outline

• Introduction
• Motivation
• MIB II-based ID Model
• Experiments Evaluation
• Conclusion

3
Intrusion Detection System(IDS)

• Intrusion Detection Techniques
• Signature/Misuse Detection
• Approach to match known attack
  signatures/patterns
• Pros high accuracy, low false positive,
  efficientsimple
• Cons blind to the new attacks
• Anomaly Detection
• Approach to monitor the deviations from normal
  profiles
• Pros capability of detecting new intrusions
• Cons relatively high false positive, difficulty
  in modeling
• normal profile construction

4
Issues with Current IDSs

• Ineffective Performance
• Insufficient sources BSM records, tcpdump
• Primarily count on misuse detection
• Lack of Adaptability
• To detect new intrusions
• Difficulty in anomaly detection module
• Poor Detection on Sophisticated Intrusions
• Coordinated, multi-phased intrusions, e.g., DDoS

5
Motivation

• To provide another data source to ID MIB II
  variables
• Comprehensive information on traffic, errors
• Grouped statistics based on protocols
• To design an MIB-based ID Agent working with
  other IDS sensors deployed in the network
• To increase the efficiency of IDS
• To increase the performance of IDS
• High detection accuracy low false alarm rate

6
As we did in the homework ?

• No ?
• In our homework
• Signature-based approach
• Needs to know the intrusion signature first
  pick up the key MIB variables
• Needs to update the key MIB variables when a new
  intrusion appears
• Cannot find new intrusions/anomaly
• In this project
• Trying to find a generic approach to use MIBs for
  intrusion detection( misuse anomaly detection)

7
MIB II ID Model

• MIB II Objects
• 91 objects from IP, ICMP, TCP, UDP, SNMP groups
• Relevant to network traffic, error information,
• control information, etc. at different layers
• Premise
• There is an inherent relationship between the MIB
  II objects that is stable under normal
  conditions.
• Such stable relationship will be broken or
  disturbed by the intrusions.
• To learn such relationship and detect the
  intrusions which tamper this relationship
• Approaches
• Machine Learning Classification Approach
• Object-object prediction Object-time prediction

8
MIB II ID Model

• Classification Algorithms
• To classify data items into one of a discrete set
  of categories
• Data item ? class label described by a set of
  features/attributes
• RIPPER
• Rule learner induction algorithm, If then
  rule sets
• Easily understood good generalization accuracy
  and concise condition
• E.g. abnormal 50 10 IF icmpInEchoReps gt 500
  
• icmpOutEchos lt 5

9
Object-Object Prediction

• To learn and analyze the inherent relationship
  between the MIB II objects
• To detect the intrusions which disturb such
  stable relationship

10
Object-Object Prediction

• Model Construction
• Phase I
• To use other 90 objects to predict the other one
  ?
• 91 sets of predictions
• To apply RIPPER to each set of prediction ?
• Rule 1 for each set of prediction
• Phase II
• To build another 91 sets of predictions from
  other training data that include both normal data
  and abnormal data
• To apply Rule 1 to each set of prediction ?
• mark the rule score on each sample
  sequence in each set of prediction
• To combine the score ? score matrix
• To apply RIPPER to the score matrix ? Rule2

11
Object-Object Prediction( Phase I Example )

• Prediction Sets
• Set 1 O2 O3 O4 O5 O91 ? O1
• 0 0 23 45 2
  A0
• 5 235 0 0 5
  A0
• Set2 O1 O3 O4 O5 O91 ? O2
• 0 0 23 45 2
  A0
• 0 235 0 0 5
  A5

12
Object-Object Prediction( Phase I Example )

• RIPPER Rule 1 for a Prediction Set
  
• O1 O2 O91 ? O10 (ipOutRequests)
  
• A250 89 1 IF udpInDatagrams gt 249
  udpInDatagrams lt 252
• tcpInSegs lt 2.
• A246 115 0 IF ipInReceives gt 249
  udpInDatagrams lt 248
• udpInDatagrams gt
  246 tcpInSegs lt 2.
• A0 1841 93 IF.
• Confidence of the classification rule
• Matched examples / total examples in the training
  set
• E.g. for the default rule A0 1841 93 IF.,
  confidence 1841/(184193) 0.95

13
Object-Object Prediction( Phase II Example )

• Score of the sample sequence
• 0 if the prediction is correct when using the
  sample sequence
• confidence of the rule 100 if the prediction
  is incorrect
• Score Matrix class label is classified as N
  and A
• 0,0,0,0,0, 0,0 N
• 0,0,90,0,0, 0,0 N
• 0,0,65, 0,0, 0,0 N
• 0,0,83, 100,100, 0,0 A
• 0,0,75, 100, 100, 0,0 A

14
Object-Object Prediction( Phase II Example )

• RIPPER Rule2 for the Score Matrix
• E.g.
• N 3248 0 IF C34 lt0 C10 lt62
• N 250 0 IF C34 lt0 C75lt60
• N 4 0 IF C36 lt0 C55gt99 C3 gt60
• A 4576 1 IF.
• Going through the normal rules and the default is
  the anomaly.

15
Object-Object Prediction

• Detection
• Feeding MIB II objects
• Apply Rule1 and Rule2 to detect the potential
  intrusions

16
Object-Time Prediction

• Premise
• To learn and analyze the temporal relationship of
  each object
• To detect the intrusions which break such stable
  relationship
• Approach
• To use past values of the object to predict the
  future value
• Phase I and Phase II are similar to those in
  Object-Object Prediction

17
Object-Time Prediction( Example )

• Prediction Sets
• Ot-3 Ot-2 Ot-1 ? Ot
• 0 258 234 A270
• 258 234 270 A0
• RIPPER Rule1 for a Prediction Set
• A654 170 10 IF Ot-2 gt558 Ot-2 lt568 Ot-3 gt560
  Ot-1 gt555

18
Object-Time Prediction( Example )

• RIPPER Rule2 for Score Matrix
• E.g.
• N 3153 0 IF C34 lt0 C64 lt 55.
• N304 0 IF C34 lt0 C78 lt 75 C59 lt 0.
• A 4576 6 IF.
• Going through the normal rules, the default is
• the anomaly.

19
MIB II ID Model

• Training Data
• One set of normal training data for getting Rule1
• One set of normal and
• One set of abnormal training data ( collected
  under TFN2K Ping Flood and Targa 3 respectively
  ) for getting Rule2
• Testing Data
• Data collected when there is a simulated intrusion

20
MIB II ID Model

• Misuse Detection
• For TFN2K Ping Flood Targa3 attacks
• ID model has learned the behavior of these two
  attacks in the training phase
• Known intrusions to our ID model
• Anomaly Detection
• For SMURF, NMAP, Trinoo
• ID model has no idea about the behavior of theses
  intrusions since the training data sets dont
  include them
• New intrusions to our ID model

21
MIB II ID Model
22
What have we learnt?

• MIB II variables can be used a data source for ID
• MIB II-based ID Model is
• Good for the misuse detection (Ping Flood, Targa3
  ) in this case
• Good for the anomaly detection (NMAP, Trinoo) in
  this case
• Poor for the detection of SMURF.
• Object-Time model has a better overall
  performance than Object-Object model

23
What have we learnt?

• Limitations
• Only good for traffic-based intrusions
• No clues to non-traffic based attacks, e.g.
  illegal-remote-root-access
• Current approach does not take advantage of Group
  ? Future Work
• Other MIBs?
• RMON I II ? Info. on the subnet
• Other Enterprise MIB ? MIB of Ciscos Router

24
The End

• Thank You !