Auralization of Intrusion Detection System using

advertisement
Auralization of Intrusion Detection System using JListen
DISSERTATION
Submitted in the partial fulfillment of the requirements of
BITS G629T Dissertation
By
Gopinath M C
1998HS12176
Under the Supervision of
Prof. K.Venkatasubramainan
Assistant Dean, Distance Learning Programme Division
Birla Institute of Technology and Science
Pilani, India
Under the Guidance of
Prof Aditya P Mathur
Department of Computer Science
Purdue University
West Lafayette, IN, USA
BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE
PILANI (RAJASTHAN), INDIA.
March, 2004
Table of Contents
1. Introduction ............................................................................................................. 1
2. Background ............................................................................................................. 2
3. Experimental Design for the auralization of Snort ................................................. 4
4. Tasks Completed ..................................................................................................... 5
5. Plan of Work ........................................................................................................... 6
6. References ............................................................................................................... 7
I
1. Introduction
Intrusion detection is one of the key components of network management function.
Intrusion detection system (IDS) examines a host or network to identify the possible intrusions or
attacks. It can be either network based or host based, while network based intrusion detection
systems are common. Network-based intrusion detection systems examine all the packets flowing
through the network for signs of attacks. While host-based systems look at user and process
activity on the local machine for the signs of intrusions.
Signature-based analysis is used in most of the intrusion detection systems. These
systems detect attacks based on pattern matching. Detection of all attacks requires prior
knowledge about all possible patterns of intrusions. Currently, the legitimate requests tend to map
with the signature available with intrusion detection systems. This leads to the generation of false
positives by the existing systems. The false positives tend to deny the operations requested by the
legitimate users or processes. To minimize the occurrences of such, early detection of false
positives is needed. The network administrator can do it through frequent manual review of the
logs generated by the intrusion detection system. The early warning or detection of intrusions will
help to avert damages to the network. The implementation of manual intrusion detection [2] can
be effective to support early warning of intrusions.
The frequent review of logs minimizes the false positives of IDS. Also, early warnings
help the administrator update the signature of IDS to prevent false negatives. Though log reviews
are an offline activity, we believe that they can be performed in real time at appropriate intervals
with the help of sounds. Whenever (likely) intrusions occur, appropriate aural signaling of
malicious activity would prompt the network administrator to review logs. This can be done with
the help of auralization of intrusion detection system.
The goal of this work is to investigate how useful is auralization in improving the
accuracy of intrusion detection systems. This report gives a brief summary of JListen and the list
of auralization points considered in Snort, an intrusion detection system that we have selected for
the purpose of experimentation using JListen.
1
I
2. Background
Auralization, or Sonification, is defined as the use of non-speech audio to convey
information. Auralization of programs maps various events or points during program execution to
sound signals.
Auralization is intended to allow program monitoring in a different perspective with the
help of sounds. Listen/C [1] is a tool to auralize programs written in C in order to understand their
run-time behavior. The different programming constructs are mapped with a particular set of
sound patterns. The mapping between events and sound patterns is specified in Listen
Specification Language (LSL). The auralized programs when executed generate sound calls
which enable the programmer or a user to monitor the program behavior.
JListen is an open source tool to auralize Java programs. It is based on Listen/C. JListen
is a distributed, versatile (easily configurable) and portable system that allows auralization of Java
programs. The architecture of JListen consists of three components:
o
Instrumentor
o
Configuration Server
o
Listener
The user specifies the Java programs that need to be auralized along with a set of eventsound mappings. Then the program is instrumented with the aid of the instrumentor. The
instrumented program is registered with a central server component called Configuration Server.
The Configuration Server maintains the details of registered auralized programs i.e., a list of
event-sound mappings. Users interested in listening to auralized programs must register with the
Configuration Server. These registered users, or nodes, are known as Listeners. When an
instrumented program is executed, it sends sound signals to the Configuration Server which in
turn multicasts the sound signals to the registered Listeners for that particular program.
The features of JListen components are briefly summarized below.
2.1 Instrumentor
This component is used to instrument the Java program. It has the following features:
o
Provides an interface to map events with sound patterns
o
Provides an interface to register with Configuration Server
o
The instrumented program will contain necessary Sound call libraries to communicate
with Configuration Server. Thus, the instrumented program can be executed from a
machine (environment) different as that of instrumentor
2
I
2.2 Configuration Server
This component acts as a central server for the instrumented program and Listener. The
features include,
o
An interface to view the registered listeners for a particular program and their status
whether they are logged on or logged out
o
It multicasts the events sent by the executing auralized program to a set of registered
Listeners
o
The Configuration Server holds the event and sound mapping information for a set of
registered instrumented programs
2.3 Listener
This component aids in generation of musical output based on a set of events sent by the
configuration server. Listener has the following features:
o
An interface to register with a particular configuration server
o
An interface to login or logout from the configuration server
o
Provides a facility to register with a particular set of auralized programs
o
Allows customization of event and sound mappings i.e., a different sound variable can be
associated with an event, the listening status of an event can be switched on or off
o
Provides a facility to record events of a program in a Musical Instrument Digital Interface
(MIDI) file
o
An interface to play the recorded events of a program
In JListen, the following constructs in a Java Program can be decorated with the aid of
instrumentor. The auralization points could be
o
Activity track for a method
o
Data track for a variable
o
Method call Entry and Exit
o
Method body begin and end with support for polymorphism
o
Loop statements Entry and Exit
o
Recursive method call
3
I
3. Experimental Design for the auralization of Snort
Network intrusion detection systems (NIDS) are an important part of any network
security architecture.
They provide a layer of defense, which monitors network traffic for
predefined suspicious activity or patterns, and alerts system administrators when potential hostile
traffic is detected. Snort [3] is a libpcap-based [4] packet sniffer and logger that can be used as a
network intrusion detection system (NIDS). It features rule-based logging to perform content
pattern matching. It detects a variety of attacks and probes such as buffer overflows and stealth
port scans. It also has real-time alerting capability, with alerts being sent to syslog.
3.1 Hypothesis
1. Auralization would help in early detection of false positives
2. Early detection of false positives would help in fine tuning the Intrusion Detection
System to avert false positives in the future
3. Auralization would assist in frequent manual review of logs, which will help in
identifying false negatives of Intrusion Detection System.
3.2 Experimental Procedure
The hypothesis can be tested by comparing the capability of the user in identifying the
false positives and false negatives with normal and auralized system. The subjects considered for
experimentation would include students with knowledge of network security. The questionnaire
will be given to students to evaluate the timeliness in identifying false positives and false
negatives between the normal and auralized system.
We propose to study the effectiveness of auralization in network intrusion detection
systems with the help of Snort. For this purpose we plan to use JListen to auralize the following
events in Snort for the purpose of investigating the usage of auralization in these systems.
i.
Requests from a suspicious host or network
ii.
Requests for a non existing service
iii.
Packet holding suspicious payload data
iv.
Detection of trace route attempts
v.
Number of Connection Requests exceeding Threshold value
vi.
ICMP Echo request
vii.
ICMP Timestamp request
4
I
viii.
TCP packet with zero flags set called NULL packet
ix.
TCP packet with all flags set called XMAS packet
x.
TCP packet with SYN&FIN flag set
xi.
Detection of denial of Service attacks
xii.
Detection of a non-standard protocol or event
xiii.
Attempted Administrator Privilege Gain
xiv.
Attempted User Privilege Gain
xv.
Successful Administrator Privilege Gain
xvi.
Successful User Privilege Gain
The experiment shall be conducted with the aforementioned auralization points. The first
phase of experiment includes the development of modules to simulate attacks in the network. The
second phase shall include the auralization of Snort and the determination of effectiveness of
auralization in Snort with the feedback given by the subjects.
3.3 Data Analysis
The scores given by the students through questionnaire will be used as experimental data.
The difference in scores will help to measure the effectiveness of auralization in Intrusion
Detection System.
4. Tasks Completed
Serial
Tasks
Number
1
Preparation of Snort for Experimentation
2
Proper implementation of atrack in JListen
3
Recursive function call auralization
4
Auralization of methods with support for polymorphism
5
Identification of Auralization Events in Snort
6
Creation of MIDI files for the recorded programs
5
I
5. Plan of Work
Serial
Tasks
Deadline
Number
1
Updating JListen with all the following features required for
experimentation
1.Loop body auralization
For_body_begin, For_body_end, while_body_begin,
22/3/2004
while_body_end, if_body_begin, if_body_end
2. Parameterized auralization
3. Exceptions
4. Static Blocks
2
Development of modules to simulate attacks in the network or in a 7/4/2004
system
3
Auralization of Snort and Experimental determination of auralization 20/4/2004
usability in Snort
4
Submission of the proposed work
30/4/2004
6
I
6. References
[1] D. Boardman, G. Greene, V. Khandelwal, and A. P. Mathur, “LISTEN: A Tool to Investigate
the Use of Sound for the Analysis of Program Behavior”, In Proceedings of the 19th Annual
International Computer Software and Applications Conference (COMPSAC '95), Dallas, TX,
pages 184-193 , August 1995. IEEE Press
[2] Julia Allen et al, “State of the Practice of Intrusion Detection Technologies”, Carnegie Mellon
Software Engineering Institute, Pittsburg, Jan. 2000.
[3] Martin Roesch et al, “Snort, A lightweight Intrusion Detection System”, http://www.snort.org
[4] Steve McCanne et al,"Packet capturing library,” Lawrence Berkeley National Laboratory,
ftp://www.ee.lbl.gov/libpcap.tar.Z
7
Download