BIDE
Behavior
Intrusion Detection: Enhanced
CS591
Hakan
Evecek
Rodolfo
Ortiz
Behavior Based Intrusion Detection
Systems (BBIDS) can be described as an alarm for strange system behavior [1].
It is based on the idea of an IDS, which uses a set of rules to test network
traffic, but it goes further. It operates from a baseline of normal activity
[1]. This baseline is obtained from statistics on network behavior, in other
words, a ‘profile’ of the network is created.
Nowadays BBIDS can be attacked
and redefined by intruders, it means intruders can train the BBIDS so that it
won’t detect an attack. The second problem is that BBIDS generate many false
positives during the set up and any time there is a change in the network
environment. It is up to the administrator to discard the alerts that are not
related to intrusion. It would mean constant training [1] to update the network
baseline.
The project will consider how
to enhance and extend a BBIDS. There are several commercial and open source
BIDS (Stealth Watch, RealSecure, Cisco NetRanger, McAfee IntruShield,
Shadow[7], LADS, SNORT), we will use SNORT, which is a open source Intrusion
Detection System. Based on SNORT, improvements will be proposed.
Three protocols will be
analyzed: DNS, ICMP and HTTP vs HTTPS. From here, the timing that each protocol
generates will be considered: the time it takes to receive an answer must be
between a valid range, which we will figure out. The first step is collecting
data, and then developing a model to fit the data in.
A baseline of what is normal
behavior and what is not will be established. For example, in HTTP, there is a
three way handshake, which is completed in a certain amount of time. The BBIDS
don’t consider this; so, if traffic is not close to this timing, it should be
put under suspicious. It may be a delay of valid traffic, or worst, it may be
someone responding to a computer instead of the original one.
A subdomain will be created,
and it will be running software that generates DNS, ICMP and HTTP/HTTPS traffic.
The tools to analyze the packets are TCPDUMP, SNORT, ETHEREAL and a trial
version of ClearSight [6]. These packages show the timing and content of the
packet.
3 weeks: Research protocols to
be analyzed
ICMP
HTTP
DNS
2 weeks: Test protocol
mechanism in a live network
Set up a testbed
Install the software
Obtain results
1 weeks:
Evaluate and collect statistics to set a baseline
Compare theory and results
[1] http://online.securityfocus.com/infocus/1600
[2] http://www.sans.org/resources/idfaq/anomaly_detection.php
[3] http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/?cvsroot=SPADE
[4] http://www.cs.umn.edu/research/minds/MINDS_papers.htm
[5] http://luca.ntop.org/ADS.pdf
[6] http://www.clearsightnet.com/
[7] http://www.nswc.navy.mil/ISSEC/CID/