DOC

Network Intrusion Detection

By Beatrice Martin,2014-02-26 10:06
12 views 0
TCPIP is the common language used in the world of computer networks.If such a machine were placed at the entrance of a shopping mall,

    A real time packet filtering module for network intrusion detection system

    by

    Guang Yang

    A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of

    MASTER OF SCIENCE

    Major: Computer Science

    Major Professor: R. C. Sekar

    Iowa State University

    Ames, Iowa

    1998

     ii

    Graduate College

    Iowa State University

This is to certify that the Master‟s thesis of

    Guang Yang

    has met the thesis requirements of Iowa State University

    ________________________________

    Major Professor

    ________________________________

    For the Major Program

    ________________________________

    For the Graduate College

     iii

    TABLE OF CONTENTS

    ABSTRACT .........................................................................................................................v

    CHAPTER 1. INTRODUCTION .......................................................................................1 1.1 Network Security and Potential Threats ........................................................................1 1.2 Intrusion Detection .......................................................................................................2

    1.3 Key Contributions ........................................................................................................3

    1.4 Thesis Organization ......................................................................................................3

    CHAPTER 2. OVERVIEW OF TCP/IP BASED NETWORK INTRUSION ..................5

    2.1 TCP/IP Basics ..............................................................................................................5

    2.1.1 Protocol Hierarchy .................................................................................................5 2.1.2 IP ...........................................................................................................................5

    2.1.3 UDP .......................................................................................................................7

    2.1.4 TCP ........................................................................................................................7

    2.2 Common Vulnerabilities...............................................................................................9 2.2.1 IP Source Address Spoofing ...................................................................................9 2.2.2 TCP Sequence Number Prediction..........................................................................9 2.2.3 Port Scanning ....................................................................................................... 10 2.3 Network Intrusions ..................................................................................................... 11

    2.3.1 Denial of Service .................................................................................................. 11

    2.3.1.1 CHARGEN and ECHO .................................................................................. 12

    2.3.1.2 SYN Flooding ................................................................................................ 12

    2.3.1.3 Other Denial of Service Intrusions.................................................................. 15 2.3.2 Spoofing............................................................................................................... 16

    2.3.2.1 Client-Side Spoofing ...................................................................................... 16

    2.3.2.2 Server-Side Spoofing ..................................................................................... 18 2.3.3 Service Specific Intrusions ................................................................................... 19

    2.3.3.1 Finger Daemon Attack ................................................................................... 19

    2.3.3.2 Routing Infrastructure Intrusions .................................................................... 20

    2.3.3.3 DNS Misuse ................................................................................................... 20

    2.3.3.4 NFS ............................................................................................................... 22

    2.3.3.5 X-Windows .................................................................................................... 23 CHAPTER 3. INTRUSION DETECTION AND PACKET FILTERING ..................... 24

    3.1 Current Techniques in Network Security .................................................................... 24 3.1.1 Audit Trails .......................................................................................................... 24

    3.1.2 Firewall ................................................................................................................ 25

    3.1.2.1 Screening Router ............................................................................................ 25

    3.1.2.2 Application Gateway ...................................................................................... 26 3.2 Packet Filtering .......................................................................................................... 27

    3.2.1 General Issues ...................................................................................................... 28

     iv

    3.2.2 Existing Packet-Filtering Systems ........................................................................ 28

    3.2.2.1 Linux SOCK_PACKET ................................................................................. 28

    3.2.2.2 Data Link Provider Interface .......................................................................... 28

    3.2.2.3 BSD Packet Filter........................................................................................... 29

    3.2.3 Packet Capture Library ......................................................................................... 31 3.3 Bro: An Intrusion Detection System Based on Packet Filtering................................... 32

    3.3.1 Bro Architecture ................................................................................................... 32

    3.3.2 Bro Language ....................................................................................................... 33 3.4 Packet Filtering for Network Intrusion Detection ........................................................ 35 CHAPTER 4. INTRUSION PATTERN SPECIFICATION LANGUAGE .................... 37

    4.1 ASL Syntax ................................................................................................................ 37

    4.2 Packet Structure Description ...................................................................................... 37 4.3 Constraint Checking ................................................................................................... 39 4.4 Sample Patterns .......................................................................................................... 41

    CHAPTER 5. SYSTEM DESIGN AND IMPLEMENTATION...................................... 43

    5.1 System Architecture ................................................................................................... 43 5.2 Packet Offset Calculation ........................................................................................... 44 5.3 Filter Model for Single Rule ....................................................................................... 45 5.4 Filter Integration......................................................................................................... 47

    5.5 Rule Preprocessing ..................................................................................................... 51

    5.5.1 Rule Decomposition ............................................................................................. 51

    5.5.2 Constraint Stack Construction .............................................................................. 52 5.6 Automaton Construction............................................................................................. 54

    5.6.1 Offset Selection .................................................................................................... 54

    5.6.2 Sub-Automaton Sharing ....................................................................................... 56 5.7 Code Generation......................................................................................................... 57

    5.8 Data Generation ......................................................................................................... 59

    CHAPTER 6. EXPERIMENTAL RESULTS AND CONCLUSION .............................. 62

    6.1 Intrusion Detection Using ASL................................................................................... 62 6.2 Preliminary Performance Testing ............................................................................... 63

    6.2.1 SRVSTAT: Service Statistics ............................................................................... 63

    6.2.2 Performance Comparison: ASL vs. BPF ............................................................... 64 6.3 Conclusion ................................................................................................................. 65

    APPENDIX A PACKET DATA STRUCTURES FOR ASL ........................................... 67

    APPENDIX B INTRUSION PATTERN SAMPLES ....................................................... 72

    REFERENCES .................................................................................................................. 75

    ACKNOWLEDGEMENTS .............................................................................................. 77

     v

    ABSTRACT

     Computer networks bring us not only the benefits, such as more computing power and better performance for a given price, but also some challenges and risks, especially in the field of system security. During the past two decades, significant effort has been put into network security research and several techniques have been developed for building secure networks. Packet filtering plays an important role in many security-related techniques, such as intrusion detection, access control and firewall. A packet-filtering system constitutes the first line of defense in a computer network environment. The key issues in the packet-filtering technique are efficiency and flexibility. The efficiency refers to the ability of a filter to quickly capture network packets of interest, while the flexibility means the filter can be customized easily for different packet patterns.

     In this thesis, we present a real-time packet-filtering module, which can be integrated into a large-scale network intrusion detection system. The core of this packet-filtering module is a rule-based specification language ASL (Auditing Specification Language), which is used in describing the packet patterns and reactions for a network intrusion detection system. The important features of ASL that are not provided by other packet-filtering systems are protocol independence and type safety. ASL provides a number of new features that distinguish it from other languages used for intrusion detection and packet filtering, such as packet structure description and protocol constraint checking.

     We develop the algorithms and heuristics for constructing fast packet filter from ASL specifications. Our algorithms improve upon existing techniques in that the performance of the generated filters is insensitive to the number of rules. We discuss implementation of these algorithms and present experimental results.

     1

    CHAPTER 1. INTRODUCTION

     Computation models have experienced a significant change since the emergence of computer networks, which allow heterogeneous computers to communicate with each other. During the past two decades, most centralized systems have been replaced by a number of interconnected computers. This factor has led to more computing power, increased flexibility and better performance/price ratio.

     However, at the same time, we also face many new challenges and risks with networked computing, such as lack of communication reliability, coordination, resource management, and so on. As more and more computer networks are brought into electronic commence, transaction management, and even national defense, people begin to pay increasing attention to system security.

1.1 Network Security and Potential Threats

     There are a number of security issues for a computer network environment [1]:

    ; Availability: The system must be functional and correctly provide services.

    ; Confidentiality: The data transmitted from one system to the other must be

    accessible only for the authorized parties.

    ; Authentication: The identity associated with the data must be correct. The

    identity can apply to a user, host or software component.

    ; Integrity: The data being processed or transmitted can be modified only by the

    authorized parties.

    ; Non-repudiation: Neither the sender nor the receiver of data is able to deny the

    fact of data transmission.

     2

     A system that meets the above criteria can be considered as a secure computer network system. A hacker who wants to attack a network, thus thinks of ways to compromise the above criteria [1]:

    ; Interruption: Destroy a system or make it unavailable or unusable.

    ; Interception: Obtain unauthorized access to data.

    ; Modification: Compromise data integrity, e.g. modify messages sent from one

    system to another.

1.2 Intrusion Detection

     As defined by Heady et al. [2], an intrusion is

    any set of actions that attempt to comprise the integrity, confidentiality or availability

    of a resource.

    Intrusion leads to violations of the security policies of a computer system, such as unauthorized access to private information, malicious break-in into a computer system, or rendering a system unreliable or unusable.

     A full-blown network security system should include the following subsystems:

    ; Intrusion Detection Subsystem: Distinguishes a potential intrusion from a valid

    network operation.

    ; Protection Subsystem: Protects the network and security system itself from being

    compromised by the network intrusions.

    ; Reaction Subsystem: This part either traces down the origin of an intrusion or

    fights back the hackers.

     The focus of this thesis is on the intrusion detection subsystem, which constitutes the first line of defense for a computer network system. There are a number of approaches in this field. Most of them fall into three primary categories: anomaly detection, misuse detection and hybrid schemes.

     The anomaly detection approach is based on a model of normal activities in the system. This model can either be predefined or established through techniques such as machine learning. Once there is a significant deviation from this model, an anomaly will be

     3

    reported. By contrast, a misuse detection approach defines specific user actions that constitute a misuse and uses rules for encoding and detecting known intrusions [3]. The hybrid detection approach uses a combination of anomaly and misuse detection techniques.

1.3 Key Contributions

     Packet filtering is a critical technique in network management, firewall strategy and intrusion detection. However, the existing packet filtering systems have a number of limitations in system efficiency, flexibility and scalability. For instance, a packet filter for one protocol suite can not be easily changed to fit for another protocol suite. In addition, most packet filters suffer from significant performance degradation as the number of packet patterns increases.

     In this thesis, we present a novel approach for constructing a real-time packet-filtering module that can be used for network intrusion detection purpose. One of the main contributions in our approach is a specification language designed for describing intrusion patterns and reactions. This language provides a number of features that distinguish it from other specification languages used for intrusion detection or packet filtering, such as protocol independence and type safety. Another important focus of our work is the development of fast pattern-matching algorithms (for packet filter) that are insensitive to the number of patterns.

1.4 Thesis Organization

     In chapter 2, we give a brief review of TCP/IP (Transmission Control

    Protocol/Internet Protocol) protocol suite and several security holes in the design and implementation of TCP/IP. Chapter 3 surveys some existing techniques in building a secure computer network system. We also discuss some general issues on packet filtering that is one of the main techniques in network intrusion detection. In chapter 4, we give a detailed description of our specification language and its application to intrusion detection. Chapter 5 discusses the issues in the design and implementation of our packet-filtering module. The primary concern is to reduce the processing time of a packet filter. In the last chapter, we

4

provide some experimental results from performance testing of our packet filter and

summarize our work.

     5

CHAPTER 2. OVERVIEW OF TCP/IP BASED NETWORK INTRUSION

     TCP/IP is the common language used in the world of computer networks.

    Nevertheless, there exist several security flaws in the protocol design or implementation of TCP/IP. As a result, network hackers, who intend to compromise the target network systems by exploiting these security holes, have invented various intrusion methods.

2.1 TCP/IP Basics

    Developed under the sponsorship from DARPA (Defense Advanced Research

    Projects Agency), TCP/IP is the most widely used communication protocol suite today. It is the de facto standard employed to interconnect computing facilities in modern network environments.

2.1.1 Protocol Hierarchy

     TCP/IP is designed through a layered approach, with each layer responsible for a different facet of communication [4]. This hierarchical architecture makes each protocol layer possible to evolve independently without affecting the adjacent layers. In addition, data encapsulation is achieved through various headers among different transportation layers like IP header, TCP header or other application headers as shown in Figure 2.1. These headers are important in keeping the state information for each network connection and facilitating multiplexing and de-multiplexing of transmission messages.

2.1.2 IP

     IP is the workhorse protocol of the TCP/IP protocol suite. It provides an unreliable, connectionless datagram delivery service. All the TCP, UDP (User Datagram Protocol),

Report this document

For any questions or suggestions please email
cust-service@docsford.com