Title: A Wavelet Approach to Network Intrusion Detection
1A Wavelet Approach to Network Intrusion Detection
-
- W. Oblitey S. Ezekiel
- IUP Computer Science Dept.
-
2Intrusion Detection
- Provides monitoring of system resources to help
detect intrusion and/or identify attacks. - Complimentary to blocking devices.
- Insider attacks.
- Attacks that use traffic permitted by the
firewall. - Can monitor the attack after it crosses through
the firewall. - Helps gather useful information for
- Detecting attackers,
- Identifying attackers,
- Reveal new attack strategies.
3Classification
- Intrusion Detection Systems classified according
to how they detect malicious activity - Signature detection systems
- Also called Misuse detection systems
- Anomaly detection systems
- Also classified as
- Network-based intrusion detection systems
- Monitor network traffic
- Host-based intrusion detection systems.
- Monitor activity on host machines
4Signature Detection
- Achieved by creating signatures
- Models of attack
- Monitored events compared to models to determine
qualification as attacks. - Excellent at detecting known attacks.
- Requires the signatures to be created and entered
into the sensors database before operation. - May generate false alarms (False Positives).
- Problem
- Needs a large number of signatures for effective
detection. - The database can grow very massive.
5Anomaly Detection
- Creates a model of normal use and looks for
activity that does not conform to the model. - Problems with this method
- Difficulty in creating the model of normal
activity - If the network already had malicious activity on
it, is it normal activity? - Some patterns classified as anomalies may not be
malicious.
6Network-Based IDS
- By far the most commonly employed form of
Intrusion Detection Systems. - To many people, IDS is synonymous with NIDS.
- Matured more quickly than the host-based
equivalents. - Large number of NIDS products available on the
market.
7Deploying NIDS
- Points to consider
- Where do sensors belong in the network?
- What is to be protected the most?
- Which devices hold critical information assets?
- Cost effectiveness
- We cannot deploy sensors on all network segments.
- Even not manageable.
- We need to carefully consider where sensors are
to be deployed.
8Locations for IDS Sensors
- Just inside the firewall.
- The firewall is a bottleneck for all traffic.
- All inbound/outbound traffic pass here.
- The sensor can inspect all incoming and outgoing
traffic. - On the DMZ.
- The publicly reachable hosts located here are
often get attacked. - The DMZ is usually the attackers first point of
entry into the network. - On the server farm segment.
- We can monitor mission-critical application
servers. - Example Financial, Logistical, Human Resources
functions. - Also monitors insider attacks.
- On the network segments connecting the mainframe
or midrange hosts. - Monitor mission-critical devises.
9The Network Monitoring Problem
- Network-based IDS sensors employ sniffing to
monitor the network traffic. - Networks using hubs
- Can monitor all packets.
- Hubs transmit every packet out of every connected
interface. - Switched networks
- The sensor must be able to sniff the passing
traffic. - Switches forward packets only to ports connected
to destination hosts.
10Monitoring Switched Networks
- Use of Switch Port Analyzer (SPAN)
configurations. - Causes switch to copy all packets destined to a
given interface. - Transmits packets to the modified port.
- Use of hubs in conjunction with the switches.
- The hub must be a fault-tolerant one.
- Use of taps in conjunction with the switches.
- Fault-tolerant hub-like devices.
- Permit only one-way transmission of data out of
the monitoring port.
11NIDS Signature Types
- These look for patterns in packet payloads that
indicate possible attacks. - Port signatures
- Watch for connection attempts to a known or
frequently attacked ports. - Header signatures
- These watch for dangerous or illogical
combinations in packet headers.
12Network IDS Reactions Types
- Typical reactions of network-based IDS with
active monitoring upon detection of attack in
progress - TCP resets
- IP session logging
- Shunning or blocking
- Capabilities are configurable on per-signature
basis - Sensor responds based on configuration.
13TCP Reset Reaction
- Operates by sending a TCP reset packet to the
victim host. - This terminates the TCP session.
- Spoofs the IP address of the attacker.
- Resets are sent from the sensors
monitoring/sniffing interface. - It can terminate an attack in progress but cannot
stop the initial attack packet from reaching the
victim.
14IP Session Logging
- The sensor records traffic passing between the
attacker and the victim. - Can be very useful in analyzing the attack.
- Can be used to prevent future attacks.
- Limitation
- Only the trigger and the subsequent packets are
logged. - Preceding packets are lost.
- Can impact sensor performance.
- Quickly consumes large amounts of disk space.
15Shunning/Blocking
- Sensor connects to the firewall or a
packet-filtering router. - Configures filtering rules
- Blocks packets from the attacker
- Needs arrangement of proper authentication
- Ensures that the sensor can securely log into the
firewall or router. - A temporary measure that buy time for the
administrator. - The problem with spoofed source addresses.
16Host-based IDS
- Started in the early 1980s when networks were not
do prevalent. - Primarily used to protect only critical servers
- Software agent resides on the protected system
- Signature based
- Detects intrusions by analyzing logs of operating
systems and applications, resource utilization,
and other system activity - Use of resources can have impact on system
performance
17HIDS Methods of Operation
- Auditing logs
- system logs, event logs, security logs, syslog
- Monitoring file checksums to identify changes
- Elementary network-based signature techniques
including port activity - Intercepting and evaluating requests by
applications for system resources before they are
processed - Monitoring of system processes for suspicious
activity
18Log File Auditing
- Detects past activity
- Cannot stop the action that set off the alarm
from taking place. - Log Files
- Monitor changes in the log files.
- New entries for changes logs are compared with
HIDS attack signature patterns for match - If match is detected, administrator is alerted
19File Checksum Examination
- Detects past activity
- Cannot stop the action that set off the alarm
from taking place. - Hashes created only for system files that should
not change or change infrequently. - Inclusion of frequently changing files is a huge
disturbance. - File checksum systems, like Tripwire, may also be
employed.
20Network-Based Techniques
- The IDS product monitors packets entering and
leaving the hosts NIC for signs of malicious
activity. - Designed to protect only the host in question.
- The attack signatures used are not as
sophisticated as those used in NIDs. - Provides rudimentary network-based protections.
21Intercepting Requests
- Intercepts calls to the operating system before
they are processed. - Is able to validate software calls made to the
operating system and kernel. - Validation is accomplished by
- Generic rules about what processes may have
access to resources. - Matching calls to system resources with
predefined models which identify malicious
activity.
22System Monitoring
- Can preempt attacks before they are executed.
- This type of monitoring can
- Prevent files from being modified.
- Allow access to data files only to a predefined
set of processes. - Protect system registry settings from
modification. - Prevent critical system services from being
stopped. - Protect settings for users from being modified.
- Stop exploitation of application vulnerabilities.
23HIDS Software
- Deployed by installing agent software on the
system. - Effective for detecting insider-attacks.
- Host wrappers
- Inexpensive and deployable on all machines
- Do not provide in-depth, active monitoring
measures of agent-based HIDS products - Sometimes referred to as personal firewalls
- Agent-based software
- More suited for single purpose servers
24HIDS Active Monitoring Capabilities
- Options commonly used
- Log the event
- Very good for post mortem analysis
- Alert the administrator
- Through email or SNMP traps
- Terminate the user login
- Perhaps with a warning message
- Disable the user account
- Preventing access to memory, processor time, or
disk space.
25Advantages of Host-based IDS
- Can verify success or failure of attack
- By reviewing log entries
- Monitors user and system activities
- Useful in forensic analysis of the attack
- Can protect against non-network-based attacks
- Reacts very quickly to intrusions
- By preventing access to system resources
- By immediately identifying a breach when it
occurs - Does not rely on particular network
infrastructure - Not limited by switched infrastructures
- Installed on the protected server itself
- Does not require additional hardware to deploy
- Needs no changes to the network infrastructure
26Active/Passive Detection
- The ability of an IDS to take action when they
detect suspicious activity. - Passive Systems
- Take no action to stop or prevent the activity.
- They log events.
- They alert administrators.
- They record the traffic for analysis.
- Active Systems
- They do all the recordings that passive systems
do, - They interoperate with firewalls and routers
- Can cause blocking or shunning
- They can send TCP resets.
27Our Approach
- We present a variant but novel approach of the
anomaly detection scheme. - We show how to detect attacks without the use of
data banks. - We show how to correlate multiple inputs to
define the basis of a new generation analysis
engine.
28Signals and signal Processing
- Signal definition
- A function of independent variables like time,
distance, position, temperature, and pressure. - Signals play important part in our daily lives
- Examples speech, music, picture, and video.
- Signal Classification
- Analog the independent variable on which the
signal depends is continuous. - Digital the independent variable is discrete.
- Digital signals are presented a a sequence of
numbers (samples). - Signals carry information
- The objective of signal processing is to extract
this useful information.
29Energy of a Signal
- We can also define a signal as a function of
varying amplitude through time. - The measure of a signals strength is the area
under the absolute value of the curve. - This measure is referred to as the energy of the
signal and is defined as - Energy of continuous signal
-
- Energy of discrete signal
30What is Wavelet? ( Wavelet Analysis)
- Wavelets are functions that satisfy certain
mathematical requirements and are used to
represent data or other functions - Idea is not new--- Joseph Fourier--- 1800's
- Wavelet-- the scale we use to see data plays an
important role - FT non local -- very poor job on sharp spikes
Wavelet db10
Sine wave
31History of wavelets
- 1807 Joseph Fourier- theory of frequency
analysis-- any 2pi functions f(x) is the sum of
its Fourier Series - 1909 Alfred Haar-- PhD thesis-- defined Haar
basis function---- it is compact support( vanish
outside finite interval) - 1930 Paul Levy-Physicist investigated Brownian
motion ( random signal) and concluded Haar basis
is better than FT - 1930's Littlewood Paley, Stein gt calculated the
energy of the function 1960 Guido Weiss, Ronald
Coifman-- studied simplest element of functions
space called atom - 1980 Grossman (physicist) Morlet( Engineer)--
broadly defined wavelet in terms of quantum
mechanics - 1985 Stephen Mallat--defined wavelet for his
Digital Signal Processing work for his Ph.D. - Y Meyer constructed first non trivial wavelet
- 1988 Ingrid Daubechies-- used Mallat work
constructed set of wavelets - The name emerged from the literature of
geophysics, by a route through France. The word
onde led to ondelette. Translation wave led to
wavelet
32Fourier Series and Energy
33Functions
- Functions (Science and Engg) often use time as
their parameter - g(t)-gt represent time domain
- since typical function oscillate think it as
wave so G(f) where f frequency of the wave, the
function represented in the frequency domain - A function g(t) is periodic, there exits a
nonzero constant P s.t. g(tP)g(t) for all t,
where P is called period - periodic function has 4 important attributes
- Amplitude max value it has in any period
- Period---2P
- Frequency f1/P(inverse) cycles per second, Hz
- PhaseCos is a Sin function with a phase
34Fourier, Haar
- Amplitude, time ? amplitude , frequency
- 1965 Cooley and Tukey Fast Fourier Transform
- Haar
35CWT
- continuous wavelet transform (CWT) of a function
f(t) a mother wavelet - mother wavelet may be real or complex with the
following properties - 1.the total area under the curve0,
- 2. the total area of is finite
- 3. Admissible condition
- oscillate above and below the t-axis
- energy of the function is finite? function is
localize - Infinite number of functions satisfies above
conditions some of them used for wavelet
transform - example
- Morlet wavelet
- Mexican hat wavelet
36- once a wavelet has been chosen , the CWT of a
square integrable function f(t) is defined as - denotes
complex conjugate - For any a,
- Thus b is a translation parameter
- Setting b0,
- Here a is a scaling parameter
- agt1? stretch the wavelet and 0ltalt1 shrink it
37Wavelets
Fourier Transform
CWT C( scale, position)
Scaling wave means simply Stretching
(or Shrinking) it
Shifting f (t) f(t-k)
38Wavelets Continue
- Wavelets are basis functions in
continuous time - A basis is a set of linearly independent function
that can be used to produce a function f(t) - f(t) combination of basis function
- is constructed from a single mother
wave w(t) -- normally it is a small wave-- it
start at 0 and ends at tN - Shrunken ( scaled)
- shifted
- A typical wavelet compressed j times
and shifted k times is - Property- Remarkable property is orthogonality
i.e. their inner-products are zero - This leads to a simple formula for bjk
39- Haar Transform
- Digitized sound, image are discrete. ? we need
discrete wavelet - where ck and dj,k are coefficients to be
calculated - example- consider the array of 8 values
(1,2,3,4,5,6,7,8) - 4 average values? 4 difference ( detail
coefficients) - calculate average, and difference for 4 averages
- continue this way
- Method is called PYRAMID DECOMPOSITION
- Haar transform depends on coeff ½, ½ and ½, -
½ - if we replace 2 by v2 then it is called coarse
detail and fine detail
40Transforms
- Transform of a signal is a new representation of
that signal - Example- signal x0,x1,x2,x3 define
y0,y1,y2,y3 - Questions
- 1. What is the purpose of y's
- 2. Can we get back x's
- Answer for 2 The Transform is invertible--
perfect reconstruction - Divide Transform in to 3 groups
- 1. Lossless( Orthogonal)-- Transformed Signal has
the same length - 2. Invertible (bi-orthogonal)-- length and angle
may change-- no information lost - 3. Lossy ( Not invertible)--
41Answer to Q1 Purpose
- IT SEES LARGE vs SMALL
- X01.2, X1 1.0, x2-1.0, x3-1.2
- Y2.2 0 -2.2 0
- Key idea for wavelets is the concept of " SCALE"
- We can take sum and difference againgt recursion
gt Multiresolution - Main idea of Wavelet analysis analyze a function
at different scales mother wavelet use to
construct wavelet in different scale and
translate each relative to the function being
analyzed - Z 0 0 4.4 0
- Reconstruct gtcompression 41
42(No Transcript)
43(No Transcript)
44(No Transcript)
45(No Transcript)
46(No Transcript)
47(No Transcript)
48(No Transcript)
49- Real electricity consumption
- peak in the center, followed by two drops,
shallow drop, and then a considerably weaker peak - d1 d2 shows the noise
- d3 presents high value in the beginning and at
the end of the main peak, thus allowing us to
locate the corresponding peak - d4 shows 3 successive peak this fits the shape
of the curve remarkably - a1,a2 strong resemblance
- a3 reasonable---- a4 lost lots of information
50(No Transcript)
51(No Transcript)
52(No Transcript)
53(No Transcript)
54- JPEG (Joint Photographic Experts Group)
- 1. Color images ( RGB) change into luminance,
chrominance, color space - 2. color images are down sampled by creating low
resolution pixels not luminance part
horizontally and vertically, ( 21 or 21, 11)
1/3 (2/3)(1/4) ½ size of original size - 3. group 8x8 pixels called data sets if not
multiple of 8 bottom row and right col are
duplicated - 4. apply DCT for each data set 64 coefficients
- 5. each of 64 frequency components in a data unit
is divided by a separate number called
quantization coefficients (QC) and then rounded
into integer - 6. QC encode using RLE, Huffman encoding,
Arithmetic Encoding ( QM coder) - 7. Add Headers, parameters, and output the result
- interchangeable format compressed data all
tables need for decoder - abbreviated format compressed data not tables (
few tables) - abbreviated format just tables no compressed
data - DECODER DO THE REVERSE OF THE ABOVE STEPS
55- JPEG 2000 or JPEG Y2k
- divide into 3 colors
- each color is partitioned into rectangular,
non-overlapping regions called tiles that are
compressed individually - A tile is compressed into 4 main steps
- 1. compute wavelet transform sub band of
wavelets integer, fp,---L1 levels, L is the
parameter determined by the encoder - 2. wavelet coeff are quantized, -- depends on
bit rate - 3. use arithmetic encoder for wavelet
coefficients - 4. construct bit stream do certain region, no
order - Bit streams are organized into layers, each
layer contains higher resolution image
information - thus decoding layer by layer is a natural way to
achieve progressive image transformation and
decompression
56(No Transcript)
57(No Transcript)
58A
H
D
V
59(No Transcript)
60Lowpass Filter Moving Average
- y(n) x(n)/2 x(n-1)/2 here h(0)1/2 and
h(1)1/2 - Fits standard form for k0,1 x unit impulse
- x(...0 0 0 0 1 0 0 0...) then y(...0 0 1/2
1/2 0 0..) - average filter 1/2 (identity) 1/2 (delay)
- Every linear operator acting on a single vector x
can be rep by yHx - main diagonal come from identity--subdiagonal
come from delay - we have finite (two) coefficients--gt FIR finite
impulse response - low passgt scaling function
- It smooth out bumps in the signal(high freq
component
61Highpass Filter Moving Difference
- y(n) 1/2x(n)-x(n-1)
- h(0)1/2
- h(1)-1/2
- yH1x
- Filter Bank Lowpass and Highpass
- they separate the signal into frequency bank
- Problem-- Signal length doubled,
- both are same size as signal gt gives double
size of the original signal - Solution-- Down Sampling
62Down Sampling
- We can keep half of Ho and H1 and still recover x
- Save only even-numbered components ( delete odd
numbered elements) -- denoted by (?2)--
decimation - (?2)y (... y(-4) y(-2)y(0)y(2).......)
- Filtering Down sampling gt Analysis Bank (
brings half size signal) - Inverse of this processgt Synthesis bank
- i,e, Up sampling Filtering
- Add even numbered components zeros ( It will
bring full size) denoted by (?2) - y (?2 y) (?2)(?2 y)
63Scaling function and Wavelets
- corresponding to low pass--gt there is scaling
function - corresponding to high pass--gt there is wavelet
function - dilation equation--gt scaling function
- In terms of original low pass filters
- we have
- for h(0) and h(1) 1/2 we have
- the graph compressed by 2 gives
and shifted by 1/2 gives - By similar way the wavelet equation
64Wavelet Packet
- Walsh-Hadamard transform-- complete binary tree
--gt wavelet packet - "Hadamard matrix"gt all entries are 1 and -1 and
all rows are orthogonal-- divide two time by
sqrt(2)gt orthogonal symmetric - Compare with wavelet-- computations
sums z00
sums y0 and y2
difference z24.4
x
sums z10.4
difference y1 and y3
difference z30
65 Filters and Filter Banks
- Filter is a linear time-invariant operator
- It acts on input vector x --- Out put vector y is
the convolution of x with a fixed vector h - h--gt contains filter coefficients-- our filters
are digital not analog-- h(n) are discrete time
t nT, - T is sampling period assume it is 1 here
- x(n) and y(n) comes all the time t 0, _ 1....
- y(n) Sh(k) x(n-k) convolution h x in the
time domain - Filter Bank Set of all filters
- Convolution by hand--- arrange it as ordinary
multiplication -- but don't carry digits from one
column to another - x 3 2 4 h 1 5 2
- x h 3 17 20 24 8
66Our Network Topology
- We set up a star topology network
- Four computers in an island
- Each running Linux RedHat 9.2
- The machines are connected by a switch
- The switch is connected to a PIX 515E Firewall
- 3Com Ethernet Hub sits between the switch and the
firewall - For Sniffing and capturing packets
- We duplicated this island six times and connected
them with routers. - We then connected the islands, via the routers,
to a central Cisco switch. - For simulation purposes, we installed Windows XP
on one machine in island one.
67Data Collection
- We generated packets with a Perl script on a
Linux system. - We used the three most common protocols for our
simulation - HTTP, FTP, and SMTP.
- For each protocol
- We generated a constant traffic
- We created 50 datasets each consisting of the
number of packets transmitted over two minute
intervals. - We executed the same traffic scripts with a
random pause between 0 and 60 seconds. - We then rerun the traffic between 0 and 15
seconds to create additional datasets. - We collected all the 150 datasets by Ethereal for
further analysis.
68Results Figure 1
69Figure 2
70Figure 3
71Figure 4
72Figure 5
73Figure 6
74Conclusion Future Direction
- We have presented
- A wavelet based framework for network
monitoring - This is our first phase for the development of an
engine for Network Intrusion Analysis - This will not depend on databases and thus will
minimize false negatives and false positives
75References
- 1 K. Ilgun, A real-time intrusion detection
system for UNIX, IEEE Symp. On Security and
Privacy, 1993. - 2 P.Porras R. Kemmerer, Penetration State
Transition Analysis- A Rule Based Intrusion
Detection Approach, Computer Security
Applications Conference, 1992 - 3http//enterprisesecurity.symantec.com/content/
productlink.cfm - 4 http//newsroom.cisco.com/dlls/fspnisapi32b3.h
tml - 5 http//www.iss.net
- 6 A.Haar. Zur Theorie der orthogonalen
Funktionensysteme. Mathematische Annalen,
69331-371, 1910. Also in PhD thesis. - 7A. Grossmann and J. Morlet, Decomposition of
Hardy functions into square integrable wavelets
of constant shape, SIAM J. Math. Phys., 15
(1984), pp 723-736. - 8 Y.Meyer. Ondeletted et operatrurs, Tome 1,
Hermann Ed., 1990
76References
- 9 S. Mallat. A theory for multiresolution
signal decomposition the wavelet representation.
IEEE Transactions on pattern recognition and
Machine Intelligence, 11(7)674-693, July 1989. - 10I. Daubechies, Ten Lectures on Wavelets, no
61 in CBMS-NSF Series in Applied Mathematics,
SIAM, Philadelphia, 1992 - 11R. R. Coifman, A real variable
characterization of Hp, Studia Math, 51 (1974). - 12 R. R. Coifman, Y. Meyer, S. Quake, and M.V.
Wickerhauser, Signal Processing and compression
with wave packets, in Proceedings of the
International Conference on Wavelets, Marseilles,
1989, Y. Meyer, ed., Masson, Paris. - 13S. Ezekiel, Low-dimensional chaotic signal
characterization using approximate entropy, 3rd
IASTED International Conference Circuits,
Signals, and Systems Cancun, May, 2003 - 14 S. Ezekiel, Heart Rate Variability Signal
Processing by Using Wavelet Based Multifractal
Analysis, IASTED International Conference,
Digital Signal Processing and Control, USA, May ,
2001 - 15C.E.Shannon "A Mathematical Theory of
Communication", Bell Syst. Tech. J., 27,379-423,
623-56.