Studies of Intrusion Traffic Patterns Using OPNET University of Central Florida

advertisement
Session 1341: Case Studies of Security
Studies of Intrusion Traffic Patterns Using
OPNET
Mian Zhou, Sheau-Dong Lang
University of Central Florida
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
1341 Security
Outline
 Simulation of network intrusion scenarios.
 Testing a frequency-based intrusion detection
strategy.
 Studying the effects of transmission delays on our
detection strategy.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
2
1341 Security
Our Approach to Intrusion Simulation
 Use OPNET to simulate intrusion scenarios by replaying
the network traffic.
 Traffic data sources.
• The publicly available datasets from MIT Lincoln lab.
• Self-generated attack traffic.
Attack tools: Nmap, Battle
Sniffer: Ethereal
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
3
1341 Security
Simulation using OPNET
Network domain
C code for a process node
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
Node domain
Process domain
4
1341 Security
Pre-processing Traffic Data
 Process the TCPDUMP data.
The packet inter-arrival times.
The traffic duration.
A list of the distinct IP addresses in the traffic source.
 Build a network model with the end nodes corresponding to
the extracted IP addresses.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
5
1341 Security
OPNET Model — Packet Generator
Packet format:
Drop the payload of original packets but
retain the IP header information including
IP address, port number, packet size, time
stamp, flags, etc.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
The attribute panel of the packet generator,
with scripted packet inter-arrival times
calculated from pre-processing the source data
6
1341 Security
Two Sample Outputs from Simulation of
the ProcessTable attack
(a) Number of distinct port connections to a victim.
(b) Data traffic to Port 25 of the victim PC .
Data Source: 1999 Lincoln Week 5 outside data
DOS attack: ProcessTable
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
7
1341 Security
Frequency-based Intrusion Detection
Observation:
• Certain network attacks are executed by running pre-written scripts which
automate the process of connecting to various ports, sending packets with
fabricated payloads, etc.
 Frequency-based intrusion detection.
• Use Discrete Fourier Transform (DFT) to identify periodicity patterns.
 Where to find the periodicity patterns.
• The time series of packets’ inter-arrival times.
• The time series of packet arrival rates.
• The size distribution of packet payloads.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
8
1341 Security
Overall Detection Strategy
Traffic
data
Parse
new connections
New connection
history
Variance
analysis
Average variance of packet
size for each connection
Generate the time-series data
Pass the trusty
Connections
Data sequence for
each connection
Data sequence for
multiple connections
Compare with a
threshold value
DFT
Local frequency
pattern
Global frequency
pattern
Report attacks
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
9
1341 Security
Frequency Extraction by Discrete
Fourier Transform (DFT)
For a given data sequence s(n) where n  0 is a discrete value representing
the time, its DFT coefficients F(k) are defined as follows
N 1
F (k )   s(n)e  j 2kn / N
n 0
0  k  N –1, N is the length
of s(n)
Expanding the right-hand side yields
N 1
N 1
n 0
n 0
F (k )   s(n) cos(2kn / N )  j  s(n) sin(2kn / N )
Using the Fast Fourier Transformation (FFT) procedure, the frequency data
F(k) can be computed in O(N logN) time.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
10
1341 Security
Detection Results: the ProcessTable
Attack
1
2
4
5
3
6
Frequency patterns extracted by DFT on inter-arrival times of six connections.
Connections 2 and 4 show periodicity patterns. The traffic of connection 2 is the
ProcessTable attack; connection 4 is a Probe attack, which probes the target’s
ports ranging from 1794 to 2631.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
11
1341 Security
Detection Results: the Dictionary
Attack
1
2
3
4
5
6
Frequency patterns on inter-arrival times of six connections for the Dictionary
attack. Connection 2 shows the password guessing (dictionary) attack.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
12
1341 Security
Detection Results: the sshProcessTable
Attack
1
4
2
5
3
6
Frequency patterns of the rates of packet
arrivals of six connections for the
sshProccessTable attack. Connection 2 contains
the attack traffic.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
1
2
4
5
3
6
Frequency patterns of inter-arrival times for six
connections, Connection 2 shows the attack
traffic.
13
1341 Security
The Effect of Transmission Delays on
Frequency patterns
(a)
(b)
(c)
The spectrum (frequency patterns) of three time series data,
where the original data values  [0.002, 0.5].
(a)The spectrum of the original data series X(t).
(b)The spectrum of the X(t) + exp(0.5) (exponentially distributed
delay with mean value 0.5 seconds)
(c)The spectrum of the X(t) + exp(5).
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
14
1341 Security
Transmission delay in LANs
A simple LAN, in which the web client
sends the traffic to three servers. We
collected the inter-arrival times of the traffic
to the main server.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
The profile configuration panel
15
1341 Security
The Effect of Transmission Delays
(a)
(b)
Frequency patterns collected at the main server,
when other types of explicit traffic loads are added
to the web client traffic.
The inter-arrival times and frequency patterns
collected: (a) at the sender (the web client); (b) at
the receiver (the main server).
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
16
1341 Security
Transmission Delays in WANs
The packet delivery process of the custom traffic is
controlled by scripted packet time intervals.
A WAN, in which the site Dublin sends traffic to
site London through an Internet cloud. Other
types of traffic such as email and ftp are created
by the other 5 nodes and coexisted with the
custom traffic from Dublin.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
The configuration panel for the Internet cloud, where we
specify the statistical distribution of the packet latency
caused by traversing the Internet.
17
1341 Security
The Effect of Transmission Delays in
WANs
Frequency patterns of the packet inter-arrival times
with different Internet transmission delays. The
distributions for transmission delay include constant,
uniform, and exponential.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
Frequency patterns of the packet inter-arrival times with
exponentially distributed transmission delays. The
spectrum starts to deviate from the original as the mean
value increases.
18
1341 Security
Conclusions
 Frequency-based intrusion detection
 Detects anomalous traffic behaviors (that contain periodicity patterns)
 Improves the effectiveness of signature-based intrusion detection systems when
combined with other simple statistical features of the traffic data.
 Needs measures to counter attacks with randomized script.
 limited to the attacks with relatively long duration and heavy load.
 Transmission delay on frequency patterns
 Frequency patterns will not be affected by near constant transmission delay.
 Frequency patterns persist in LANs.
 In WANs, further studies on packet latency required.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties.
19
Download