Session 1341: Case Studies of Security Studies of Intrusion Traffic Patterns Using OPNET Mian Zhou, Sheau-Dong Lang University of Central Florida Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 1341 Security Outline Simulation of network intrusion scenarios. Testing a frequency-based intrusion detection strategy. Studying the effects of transmission delays on our detection strategy. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 2 1341 Security Our Approach to Intrusion Simulation Use OPNET to simulate intrusion scenarios by replaying the network traffic. Traffic data sources. • The publicly available datasets from MIT Lincoln lab. • Self-generated attack traffic. Attack tools: Nmap, Battle Sniffer: Ethereal Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 3 1341 Security Simulation using OPNET Network domain C code for a process node Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Node domain Process domain 4 1341 Security Pre-processing Traffic Data Process the TCPDUMP data. The packet inter-arrival times. The traffic duration. A list of the distinct IP addresses in the traffic source. Build a network model with the end nodes corresponding to the extracted IP addresses. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 5 1341 Security OPNET Model — Packet Generator Packet format: Drop the payload of original packets but retain the IP header information including IP address, port number, packet size, time stamp, flags, etc. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. The attribute panel of the packet generator, with scripted packet inter-arrival times calculated from pre-processing the source data 6 1341 Security Two Sample Outputs from Simulation of the ProcessTable attack (a) Number of distinct port connections to a victim. (b) Data traffic to Port 25 of the victim PC . Data Source: 1999 Lincoln Week 5 outside data DOS attack: ProcessTable Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 7 1341 Security Frequency-based Intrusion Detection Observation: • Certain network attacks are executed by running pre-written scripts which automate the process of connecting to various ports, sending packets with fabricated payloads, etc. Frequency-based intrusion detection. • Use Discrete Fourier Transform (DFT) to identify periodicity patterns. Where to find the periodicity patterns. • The time series of packets’ inter-arrival times. • The time series of packet arrival rates. • The size distribution of packet payloads. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 8 1341 Security Overall Detection Strategy Traffic data Parse new connections New connection history Variance analysis Average variance of packet size for each connection Generate the time-series data Pass the trusty Connections Data sequence for each connection Data sequence for multiple connections Compare with a threshold value DFT Local frequency pattern Global frequency pattern Report attacks Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 9 1341 Security Frequency Extraction by Discrete Fourier Transform (DFT) For a given data sequence s(n) where n 0 is a discrete value representing the time, its DFT coefficients F(k) are defined as follows N 1 F (k ) s(n)e j 2kn / N n 0 0 k N –1, N is the length of s(n) Expanding the right-hand side yields N 1 N 1 n 0 n 0 F (k ) s(n) cos(2kn / N ) j s(n) sin(2kn / N ) Using the Fast Fourier Transformation (FFT) procedure, the frequency data F(k) can be computed in O(N logN) time. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 10 1341 Security Detection Results: the ProcessTable Attack 1 2 4 5 3 6 Frequency patterns extracted by DFT on inter-arrival times of six connections. Connections 2 and 4 show periodicity patterns. The traffic of connection 2 is the ProcessTable attack; connection 4 is a Probe attack, which probes the target’s ports ranging from 1794 to 2631. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 11 1341 Security Detection Results: the Dictionary Attack 1 2 3 4 5 6 Frequency patterns on inter-arrival times of six connections for the Dictionary attack. Connection 2 shows the password guessing (dictionary) attack. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 12 1341 Security Detection Results: the sshProcessTable Attack 1 4 2 5 3 6 Frequency patterns of the rates of packet arrivals of six connections for the sshProccessTable attack. Connection 2 contains the attack traffic. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 1 2 4 5 3 6 Frequency patterns of inter-arrival times for six connections, Connection 2 shows the attack traffic. 13 1341 Security The Effect of Transmission Delays on Frequency patterns (a) (b) (c) The spectrum (frequency patterns) of three time series data, where the original data values [0.002, 0.5]. (a)The spectrum of the original data series X(t). (b)The spectrum of the X(t) + exp(0.5) (exponentially distributed delay with mean value 0.5 seconds) (c)The spectrum of the X(t) + exp(5). Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 14 1341 Security Transmission delay in LANs A simple LAN, in which the web client sends the traffic to three servers. We collected the inter-arrival times of the traffic to the main server. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. The profile configuration panel 15 1341 Security The Effect of Transmission Delays (a) (b) Frequency patterns collected at the main server, when other types of explicit traffic loads are added to the web client traffic. The inter-arrival times and frequency patterns collected: (a) at the sender (the web client); (b) at the receiver (the main server). Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 16 1341 Security Transmission Delays in WANs The packet delivery process of the custom traffic is controlled by scripted packet time intervals. A WAN, in which the site Dublin sends traffic to site London through an Internet cloud. Other types of traffic such as email and ftp are created by the other 5 nodes and coexisted with the custom traffic from Dublin. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. The configuration panel for the Internet cloud, where we specify the statistical distribution of the packet latency caused by traversing the Internet. 17 1341 Security The Effect of Transmission Delays in WANs Frequency patterns of the packet inter-arrival times with different Internet transmission delays. The distributions for transmission delay include constant, uniform, and exponential. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Frequency patterns of the packet inter-arrival times with exponentially distributed transmission delays. The spectrum starts to deviate from the original as the mean value increases. 18 1341 Security Conclusions Frequency-based intrusion detection Detects anomalous traffic behaviors (that contain periodicity patterns) Improves the effectiveness of signature-based intrusion detection systems when combined with other simple statistical features of the traffic data. Needs measures to counter attacks with randomized script. limited to the attacks with relatively long duration and heavy load. Transmission delay on frequency patterns Frequency patterns will not be affected by near constant transmission delay. Frequency patterns persist in LANs. In WANs, further studies on packet latency required. Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 19