BIDE

Behavior Intrusion Detection: Enhanced

 

Project proposal

CS591

Hakan Evecek

Rodolfo Ortiz

 

 

 

Introduction

 

Behavior Based Intrusion Detection Systems (BBIDS) can be described as an alarm for strange system behavior [1]. It is based on the idea of an IDS, which uses a set of rules to test network traffic, but it goes further. It operates from a baseline of normal activity [1]. This baseline is obtained from statistics on network behavior, in other words, a ‘profile’ of the network is created.

 

 

 

Problem statement

 

Nowadays BBIDS can be attacked and redefined by intruders, it means intruders can train the BBIDS so that it won’t detect an attack. The second problem is that BBIDS generate many false positives during the set up and any time there is a change in the network environment. It is up to the administrator to discard the alerts that are not related to intrusion. It would mean constant training [1] to update the network baseline.

 

 

 

Proposed approach

 

The project will consider how to enhance and extend a BBIDS. There are several commercial and open source BIDS (Stealth Watch, RealSecure, Cisco NetRanger, McAfee IntruShield, Shadow[7], LADS, SNORT), we will use SNORT, which is a open source Intrusion Detection System. Based on SNORT, improvements will be proposed.

 

Three protocols will be analyzed: DNS, ICMP and HTTP vs HTTPS. From here, the timing that each protocol generates will be considered: the time it takes to receive an answer must be between a valid range, which we will figure out. The first step is collecting data, and then developing a model to fit the data in.

 

A baseline of what is normal behavior and what is not will be established. For example, in HTTP, there is a three way handshake, which is completed in a certain amount of time. The BBIDS don’t consider this; so, if traffic is not close to this timing, it should be put under suspicious. It may be a delay of valid traffic, or worst, it may be someone responding to a computer instead of the original one.

 

A subdomain will be created, and it will be running software that generates DNS, ICMP and HTTP/HTTPS traffic. The tools to analyze the packets are TCPDUMP, SNORT, ETHEREAL and a trial version of ClearSight [6]. These packages show the timing and content of the packet.

 

 

 

Proposed schedule

 

3 weeks: Research protocols to be analyzed

                ICMP

                HTTP

                DNS

2 weeks: Test protocol mechanism in a live network

                Set up a testbed

                Install the software

                Obtain results

1 weeks: Evaluate and collect statistics to set a baseline

                Compare theory and results

 

 

 

References

 

[1] http://online.securityfocus.com/infocus/1600

[2] http://www.sans.org/resources/idfaq/anomaly_detection.php

[3] http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?cvsroot=SPADE

[4] http://www.cs.umn.edu/research/minds/MINDS_papers.htm

[5] http://luca.ntop.org/ADS.pdf

[6] http://www.clearsightnet.com/

[7] http://www.nswc.navy.mil/ISSEC/CID/