A Wavelet Approach to Network Intrusion Detection

1
A Wavelet Approach to Network Intrusion Detection

• W. Oblitey S. Ezekiel
• IUP Computer Science Dept.

2
Intrusion Detection

• Provides monitoring of system resources to help
  detect intrusion and/or identify attacks.
• Complimentary to blocking devices.
• Insider attacks.
• Attacks that use traffic permitted by the
  firewall.
• Can monitor the attack after it crosses through
  the firewall.
• Helps gather useful information for
• Detecting attackers,
• Identifying attackers,
• Reveal new attack strategies.

3
Classification

• Intrusion Detection Systems classified according
  to how they detect malicious activity
• Signature detection systems
• Also called Misuse detection systems
• Anomaly detection systems
• Also classified as
• Network-based intrusion detection systems
• Monitor network traffic
• Host-based intrusion detection systems.
• Monitor activity on host machines

4
Signature Detection

• Achieved by creating signatures
• Models of attack
• Monitored events compared to models to determine
  qualification as attacks.
• Excellent at detecting known attacks.
• Requires the signatures to be created and entered
  into the sensors database before operation.
• May generate false alarms (False Positives).
• Problem
• Needs a large number of signatures for effective
  detection.
• The database can grow very massive.

5
Anomaly Detection

• Creates a model of normal use and looks for
  activity that does not conform to the model.
• Problems with this method
• Difficulty in creating the model of normal
  activity
• If the network already had malicious activity on
  it, is it normal activity?
• Some patterns classified as anomalies may not be
  malicious.

6
Network-Based IDS

• By far the most commonly employed form of
  Intrusion Detection Systems.
• To many people, IDS is synonymous with NIDS.
• Matured more quickly than the host-based
  equivalents.
• Large number of NIDS products available on the
  market.

7
Deploying NIDS

• Points to consider
• Where do sensors belong in the network?
• What is to be protected the most?
• Which devices hold critical information assets?
• Cost effectiveness
• We cannot deploy sensors on all network segments.
• Even not manageable.
• We need to carefully consider where sensors are
  to be deployed.

8
Locations for IDS Sensors

• Just inside the firewall.
• The firewall is a bottleneck for all traffic.
• All inbound/outbound traffic pass here.
• The sensor can inspect all incoming and outgoing
  traffic.
• On the DMZ.
• The publicly reachable hosts located here are
  often get attacked.
• The DMZ is usually the attackers first point of
  entry into the network.
• On the server farm segment.
• We can monitor mission-critical application
  servers.
• Example Financial, Logistical, Human Resources
  functions.
• Also monitors insider attacks.
• On the network segments connecting the mainframe
  or midrange hosts.
• Monitor mission-critical devises.

9
The Network Monitoring Problem

• Network-based IDS sensors employ sniffing to
  monitor the network traffic.
• Networks using hubs
• Can monitor all packets.
• Hubs transmit every packet out of every connected
  interface.
• Switched networks
• The sensor must be able to sniff the passing
  traffic.
• Switches forward packets only to ports connected
  to destination hosts.

10
Monitoring Switched Networks

• Use of Switch Port Analyzer (SPAN)
  configurations.
• Causes switch to copy all packets destined to a
  given interface.
• Transmits packets to the modified port.
• Use of hubs in conjunction with the switches.
• The hub must be a fault-tolerant one.
• Use of taps in conjunction with the switches.
• Fault-tolerant hub-like devices.
• Permit only one-way transmission of data out of
  the monitoring port.

11
NIDS Signature Types

• These look for patterns in packet payloads that
  indicate possible attacks.
• Port signatures
• Watch for connection attempts to a known or
  frequently attacked ports.
• Header signatures
• These watch for dangerous or illogical
  combinations in packet headers.

12
Network IDS Reactions Types

• Typical reactions of network-based IDS with
  active monitoring upon detection of attack in
  progress
• TCP resets
• IP session logging
• Shunning or blocking
• Capabilities are configurable on per-signature
  basis
• Sensor responds based on configuration.

13
TCP Reset Reaction

• Operates by sending a TCP reset packet to the
  victim host.
• This terminates the TCP session.
• Spoofs the IP address of the attacker.
• Resets are sent from the sensors
  monitoring/sniffing interface.
• It can terminate an attack in progress but cannot
  stop the initial attack packet from reaching the
  victim.

14
IP Session Logging

• The sensor records traffic passing between the
  attacker and the victim.
• Can be very useful in analyzing the attack.
• Can be used to prevent future attacks.
• Limitation
• Only the trigger and the subsequent packets are
  logged.
• Preceding packets are lost.
• Can impact sensor performance.
• Quickly consumes large amounts of disk space.

15
Shunning/Blocking

• Sensor connects to the firewall or a
  packet-filtering router.
• Configures filtering rules
• Blocks packets from the attacker
• Needs arrangement of proper authentication
• Ensures that the sensor can securely log into the
  firewall or router.
• A temporary measure that buy time for the
  administrator.
• The problem with spoofed source addresses.

16
Host-based IDS

• Started in the early 1980s when networks were not
  do prevalent.
• Primarily used to protect only critical servers
• Software agent resides on the protected system
• Signature based
• Detects intrusions by analyzing logs of operating
  systems and applications, resource utilization,
  and other system activity
• Use of resources can have impact on system
  performance

17
HIDS Methods of Operation

• Auditing logs
• system logs, event logs, security logs, syslog
• Monitoring file checksums to identify changes
• Elementary network-based signature techniques
  including port activity
• Intercepting and evaluating requests by
  applications for system resources before they are
  processed
• Monitoring of system processes for suspicious
  activity

18
Log File Auditing

• Detects past activity
• Cannot stop the action that set off the alarm
  from taking place.
• Log Files
• Monitor changes in the log files.
• New entries for changes logs are compared with
  HIDS attack signature patterns for match
• If match is detected, administrator is alerted

19
File Checksum Examination

• Detects past activity
• Cannot stop the action that set off the alarm
  from taking place.
• Hashes created only for system files that should
  not change or change infrequently.
• Inclusion of frequently changing files is a huge
  disturbance.
• File checksum systems, like Tripwire, may also be
  employed.

20
Network-Based Techniques

• The IDS product monitors packets entering and
  leaving the hosts NIC for signs of malicious
  activity.
• Designed to protect only the host in question.
• The attack signatures used are not as
  sophisticated as those used in NIDs.
• Provides rudimentary network-based protections.

21
Intercepting Requests

• Intercepts calls to the operating system before
  they are processed.
• Is able to validate software calls made to the
  operating system and kernel.
• Validation is accomplished by
• Generic rules about what processes may have
  access to resources.
• Matching calls to system resources with
  predefined models which identify malicious
  activity.

22
System Monitoring

• Can preempt attacks before they are executed.
• This type of monitoring can
• Prevent files from being modified.
• Allow access to data files only to a predefined
  set of processes.
• Protect system registry settings from
  modification.
• Prevent critical system services from being
  stopped.
• Protect settings for users from being modified.
• Stop exploitation of application vulnerabilities.

23
HIDS Software

• Deployed by installing agent software on the
  system.
• Effective for detecting insider-attacks.
• Host wrappers
• Inexpensive and deployable on all machines
• Do not provide in-depth, active monitoring
  measures of agent-based HIDS products
• Sometimes referred to as personal firewalls
• Agent-based software
• More suited for single purpose servers

24
HIDS Active Monitoring Capabilities

• Options commonly used
• Log the event
• Very good for post mortem analysis
• Alert the administrator
• Through email or SNMP traps
• Terminate the user login
• Perhaps with a warning message
• Disable the user account
• Preventing access to memory, processor time, or
  disk space.

25
Advantages of Host-based IDS

• Can verify success or failure of attack
• By reviewing log entries
• Monitors user and system activities
• Useful in forensic analysis of the attack
• Can protect against non-network-based attacks
• Reacts very quickly to intrusions
• By preventing access to system resources
• By immediately identifying a breach when it
  occurs
• Does not rely on particular network
  infrastructure
• Not limited by switched infrastructures
• Installed on the protected server itself
• Does not require additional hardware to deploy
• Needs no changes to the network infrastructure

26
Active/Passive Detection

• The ability of an IDS to take action when they
  detect suspicious activity.
• Passive Systems
• Take no action to stop or prevent the activity.
• They log events.
• They alert administrators.
• They record the traffic for analysis.
• Active Systems
• They do all the recordings that passive systems
  do,
• They interoperate with firewalls and routers
• Can cause blocking or shunning
• They can send TCP resets.

27
Our Approach

• We present a variant but novel approach of the
  anomaly detection scheme.
• We show how to detect attacks without the use of
  data banks.
• We show how to correlate multiple inputs to
  define the basis of a new generation analysis
  engine.

28
Signals and signal Processing

• Signal definition
• A function of independent variables like time,
  distance, position, temperature, and pressure.
• Signals play important part in our daily lives
• Examples speech, music, picture, and video.
• Signal Classification
• Analog the independent variable on which the
  signal depends is continuous.
• Digital the independent variable is discrete.
• Digital signals are presented a a sequence of
  numbers (samples).
• Signals carry information
• The objective of signal processing is to extract
  this useful information.

29
Energy of a Signal

• We can also define a signal as a function of
  varying amplitude through time.
• The measure of a signals strength is the area
  under the absolute value of the curve.
• This measure is referred to as the energy of the
  signal and is defined as
• Energy of continuous signal
• Energy of discrete signal

30
What is Wavelet? ( Wavelet Analysis)

• Wavelets are functions that satisfy certain
  mathematical requirements and are used to
  represent data or other functions
• Idea is not new--- Joseph Fourier--- 1800's
• Wavelet-- the scale we use to see data plays an
  important role
• FT non local -- very poor job on sharp spikes

Wavelet db10
Sine wave
31
History of wavelets

• 1807 Joseph Fourier- theory of frequency
  analysis-- any 2pi functions f(x) is the sum of
  its Fourier Series
• 1909 Alfred Haar-- PhD thesis-- defined Haar
  basis function---- it is compact support( vanish
  outside finite interval)
• 1930 Paul Levy-Physicist investigated Brownian
  motion ( random signal) and concluded Haar basis
  is better than FT
• 1930's Littlewood Paley, Stein gt calculated the
  energy of the function 1960 Guido Weiss, Ronald
  Coifman-- studied simplest element of functions
  space called atom
• 1980 Grossman (physicist) Morlet( Engineer)--
  broadly defined wavelet in terms of quantum
  mechanics
• 1985 Stephen Mallat--defined wavelet for his
  Digital Signal Processing work for his Ph.D.
• Y Meyer constructed first non trivial wavelet
• 1988 Ingrid Daubechies-- used Mallat work
  constructed set of wavelets
• The name emerged from the literature of
  geophysics, by a route through France. The word
  onde led to ondelette. Translation wave led to
  wavelet

32
Fourier Series and Energy
33
Functions

• Functions (Science and Engg) often use time as
  their parameter
• g(t)-gt represent time domain
• since typical function oscillate think it as
  wave so G(f) where f frequency of the wave, the
  function represented in the frequency domain
• A function g(t) is periodic, there exits a
  nonzero constant P s.t. g(tP)g(t) for all t,
  where P is called period
• periodic function has 4 important attributes
• Amplitude max value it has in any period
• Period---2P
• Frequency f1/P(inverse) cycles per second, Hz
• PhaseCos is a Sin function with a phase

34
Fourier, Haar

• Amplitude, time ? amplitude , frequency
• 1965 Cooley and Tukey Fast Fourier Transform
• Haar

35
CWT

• continuous wavelet transform (CWT) of a function
  f(t) a mother wavelet
• mother wavelet may be real or complex with the
  following properties
• 1.the total area under the curve0,
• 2. the total area of is finite
  
• 3. Admissible condition
• oscillate above and below the t-axis
• energy of the function is finite? function is
  localize
• Infinite number of functions satisfies above
  conditions some of them used for wavelet
  transform
• example
• Morlet wavelet
• Mexican hat wavelet

36

• once a wavelet has been chosen , the CWT of a
  square integrable function f(t) is defined as
• denotes
  complex conjugate
• For any a,
• Thus b is a translation parameter
• Setting b0,
• Here a is a scaling parameter
• agt1? stretch the wavelet and 0ltalt1 shrink it

37
Wavelets
Fourier Transform
CWT C( scale, position)
Scaling wave means simply Stretching
(or Shrinking) it
Shifting f (t) f(t-k)
38
Wavelets Continue

• Wavelets are basis functions in
  continuous time
• A basis is a set of linearly independent function
  that can be used to produce a function f(t)
• f(t) combination of basis function
• is constructed from a single mother
  wave w(t) -- normally it is a small wave-- it
  start at 0 and ends at tN
• Shrunken ( scaled)
• shifted
• A typical wavelet compressed j times
  and shifted k times is
• Property- Remarkable property is orthogonality
  i.e. their inner-products are zero
• This leads to a simple formula for bjk

39

• Haar Transform
• Digitized sound, image are discrete. ? we need
  discrete wavelet
• where ck and dj,k are coefficients to be
  calculated
• example- consider the array of 8 values
  (1,2,3,4,5,6,7,8)
• 4 average values? 4 difference ( detail
  coefficients)
• calculate average, and difference for 4 averages
• continue this way
• Method is called PYRAMID DECOMPOSITION
• Haar transform depends on coeff ½, ½ and ½, -
  ½
• if we replace 2 by v2 then it is called coarse
  detail and fine detail

40
Transforms

• Transform of a signal is a new representation of
  that signal
• Example- signal x0,x1,x2,x3 define
  y0,y1,y2,y3
• Questions
• 1. What is the purpose of y's
• 2. Can we get back x's
• Answer for 2 The Transform is invertible--
  perfect reconstruction
• Divide Transform in to 3 groups
• 1. Lossless( Orthogonal)-- Transformed Signal has
  the same length
• 2. Invertible (bi-orthogonal)-- length and angle
  may change-- no information lost
• 3. Lossy ( Not invertible)--

41
Answer to Q1 Purpose

• IT SEES LARGE vs SMALL
• X01.2, X1 1.0, x2-1.0, x3-1.2
• Y2.2 0 -2.2 0
• Key idea for wavelets is the concept of " SCALE"
• We can take sum and difference againgt recursion
  gt Multiresolution
• Main idea of Wavelet analysis analyze a function
  at different scales mother wavelet use to
  construct wavelet in different scale and
  translate each relative to the function being
  analyzed
• Z 0 0 4.4 0
• Reconstruct gtcompression 41

42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49

• Real electricity consumption
• peak in the center, followed by two drops,
  shallow drop, and then a considerably weaker peak
• d1 d2 shows the noise
• d3 presents high value in the beginning and at
  the end of the main peak, thus allowing us to
  locate the corresponding peak
• d4 shows 3 successive peak this fits the shape
  of the curve remarkably
• a1,a2 strong resemblance
• a3 reasonable---- a4 lost lots of information

50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54

• JPEG (Joint Photographic Experts Group)
• 1. Color images ( RGB) change into luminance,
  chrominance, color space
• 2. color images are down sampled by creating low
  resolution pixels not luminance part
  horizontally and vertically, ( 21 or 21, 11)
  1/3 (2/3)(1/4) ½ size of original size
• 3. group 8x8 pixels called data sets if not
  multiple of 8 bottom row and right col are
  duplicated
• 4. apply DCT for each data set 64 coefficients
• 5. each of 64 frequency components in a data unit
  is divided by a separate number called
  quantization coefficients (QC) and then rounded
  into integer
• 6. QC encode using RLE, Huffman encoding,
  Arithmetic Encoding ( QM coder)
• 7. Add Headers, parameters, and output the result
• interchangeable format compressed data all
  tables need for decoder
• abbreviated format compressed data not tables (
  few tables)
• abbreviated format just tables no compressed
  data
• DECODER DO THE REVERSE OF THE ABOVE STEPS

55

• JPEG 2000 or JPEG Y2k
• divide into 3 colors
• each color is partitioned into rectangular,
  non-overlapping regions called tiles that are
  compressed individually
• A tile is compressed into 4 main steps
• 1. compute wavelet transform sub band of
  wavelets integer, fp,---L1 levels, L is the
  parameter determined by the encoder
• 2. wavelet coeff are quantized, -- depends on
  bit rate
• 3. use arithmetic encoder for wavelet
  coefficients
• 4. construct bit stream do certain region, no
  order
• Bit streams are organized into layers, each
  layer contains higher resolution image
  information
• thus decoding layer by layer is a natural way to
  achieve progressive image transformation and
  decompression

56
(No Transcript)
57
(No Transcript)
58
A
H
D
V
59
(No Transcript)
60
Lowpass Filter Moving Average

• y(n) x(n)/2 x(n-1)/2 here h(0)1/2 and
  h(1)1/2
• Fits standard form for k0,1 x unit impulse
• x(...0 0 0 0 1 0 0 0...) then y(...0 0 1/2
  1/2 0 0..)
• average filter 1/2 (identity) 1/2 (delay)
• Every linear operator acting on a single vector x
  can be rep by yHx
• main diagonal come from identity--subdiagonal
  come from delay
• we have finite (two) coefficients--gt FIR finite
  impulse response
• low passgt scaling function
• It smooth out bumps in the signal(high freq
  component

61
Highpass Filter Moving Difference

• y(n) 1/2x(n)-x(n-1)
• h(0)1/2
• h(1)-1/2
• yH1x
• Filter Bank Lowpass and Highpass
• they separate the signal into frequency bank
• Problem-- Signal length doubled,
• both are same size as signal gt gives double
  size of the original signal
• Solution-- Down Sampling

62
Down Sampling

• We can keep half of Ho and H1 and still recover x
• Save only even-numbered components ( delete odd
  numbered elements) -- denoted by (?2)--
  decimation
• (?2)y (... y(-4) y(-2)y(0)y(2).......)
• Filtering Down sampling gt Analysis Bank (
  brings half size signal)
• Inverse of this processgt Synthesis bank
• i,e, Up sampling Filtering
• Add even numbered components zeros ( It will
  bring full size) denoted by (?2)
• y (?2 y) (?2)(?2 y)

63
Scaling function and Wavelets

• corresponding to low pass--gt there is scaling
  function
• corresponding to high pass--gt there is wavelet
  function
• dilation equation--gt scaling function
• In terms of original low pass filters
• we have
• for h(0) and h(1) 1/2 we have
• the graph compressed by 2 gives
  and shifted by 1/2 gives
• By similar way the wavelet equation

64
Wavelet Packet

• Walsh-Hadamard transform-- complete binary tree
  --gt wavelet packet
• "Hadamard matrix"gt all entries are 1 and -1 and
  all rows are orthogonal-- divide two time by
  sqrt(2)gt orthogonal symmetric
• Compare with wavelet-- computations

sums z00
sums y0 and y2
difference z24.4
x
sums z10.4
difference y1 and y3
difference z30
65
Filters and Filter Banks

• Filter is a linear time-invariant operator
• It acts on input vector x --- Out put vector y is
  the convolution of x with a fixed vector h
• h--gt contains filter coefficients-- our filters
  are digital not analog-- h(n) are discrete time
  t nT,
• T is sampling period assume it is 1 here
• x(n) and y(n) comes all the time t 0, _ 1....
• y(n) Sh(k) x(n-k) convolution h x in the
  time domain
• Filter Bank Set of all filters
• Convolution by hand--- arrange it as ordinary
  multiplication -- but don't carry digits from one
  column to another
• x 3 2 4 h 1 5 2
• x h 3 17 20 24 8

66
Our Network Topology

• We set up a star topology network
• Four computers in an island
• Each running Linux RedHat 9.2
• The machines are connected by a switch
• The switch is connected to a PIX 515E Firewall
• 3Com Ethernet Hub sits between the switch and the
  firewall
• For Sniffing and capturing packets
• We duplicated this island six times and connected
  them with routers.
• We then connected the islands, via the routers,
  to a central Cisco switch.
• For simulation purposes, we installed Windows XP
  on one machine in island one.

67
Data Collection

• We generated packets with a Perl script on a
  Linux system.
• We used the three most common protocols for our
  simulation
• HTTP, FTP, and SMTP.
• For each protocol
• We generated a constant traffic
• We created 50 datasets each consisting of the
  number of packets transmitted over two minute
  intervals.
• We executed the same traffic scripts with a
  random pause between 0 and 60 seconds.
• We then rerun the traffic between 0 and 15
  seconds to create additional datasets.
• We collected all the 150 datasets by Ethereal for
  further analysis.

68
Results Figure 1
69
Figure 2
70
Figure 3
71
Figure 4
72
Figure 5
73
Figure 6
74
Conclusion Future Direction

• We have presented
• A wavelet based framework for network
  monitoring
• This is our first phase for the development of an
  engine for Network Intrusion Analysis
• This will not depend on databases and thus will
  minimize false negatives and false positives

75
References

• 1 K. Ilgun, A real-time intrusion detection
  system for UNIX, IEEE Symp. On Security and
  Privacy, 1993.
• 2 P.Porras R. Kemmerer, Penetration State
  Transition Analysis- A Rule Based Intrusion
  Detection Approach, Computer Security
  Applications Conference, 1992
• 3http//enterprisesecurity.symantec.com/content/
  productlink.cfm
• 4 http//newsroom.cisco.com/dlls/fspnisapi32b3.h
  tml
• 5 http//www.iss.net
• 6 A.Haar. Zur Theorie der orthogonalen
  Funktionensysteme. Mathematische Annalen,
  69331-371, 1910. Also in PhD thesis.
• 7A. Grossmann and J. Morlet, Decomposition of
  Hardy functions into square integrable wavelets
  of constant shape, SIAM J. Math. Phys., 15
  (1984), pp 723-736.
• 8 Y.Meyer. Ondeletted et operatrurs, Tome 1,
  Hermann Ed., 1990

76
References

• 9 S. Mallat. A theory for multiresolution
  signal decomposition the wavelet representation.
  IEEE Transactions on pattern recognition and
  Machine Intelligence, 11(7)674-693, July 1989.
• 10I. Daubechies, Ten Lectures on Wavelets, no
  61 in CBMS-NSF Series in Applied Mathematics,
  SIAM, Philadelphia, 1992
• 11R. R. Coifman, A real variable
  characterization of Hp, Studia Math, 51 (1974).
• 12 R. R. Coifman, Y. Meyer, S. Quake, and M.V.
  Wickerhauser, Signal Processing and compression
  with wave packets, in Proceedings of the
  International Conference on Wavelets, Marseilles,
  1989, Y. Meyer, ed., Masson, Paris.
• 13S. Ezekiel, Low-dimensional chaotic signal
  characterization using approximate entropy, 3rd
  IASTED International Conference Circuits,
  Signals, and Systems Cancun, May, 2003
• 14 S. Ezekiel, Heart Rate Variability Signal
  Processing by Using Wavelet Based Multifractal
  Analysis, IASTED International Conference,
  Digital Signal Processing and Control, USA, May ,
  2001
• 15C.E.Shannon "A Mathematical Theory of
  Communication", Bell Syst. Tech. J., 27,379-423,
  623-56.