Presented by, Under supervision and Guidance

Sikdar Md. Sultan Askari,CSI09023 of

[Link]. 3rd Semester Prof. Dhruba Kr. Bhattacharya,
Computer Science & Engineering,
Tezpur University

13/12/2010
outline
 Introduction
- IDS and its types
- Aim of the work
 ADAM and Related Work
 Rule based approach.
 Dataset preparation:
 Netflow
 capturing, preprocessing, normalization, feature extraction
 Experimental study
 Netflow capturing tool
 Attack generation
 propose plan of work
13/12/2010 2
Intrusion Detection System ?
 IDS
 Intrusion detection system is the process of monitoring the
events occurring in a computer system or network and analyzing
them for signs of intrusions, that attempts to compromise the
confidentiality, integrity, availability, or to bypass the security
mechanisms of a computer system or network.
Types of IDS
Based upon information source
 network-based

 host-based

NIDS
Anomaly Based
Rule Based or Signature Based
Intruders
 MASQUERADER
 They are outside users.
 Pretends to be an authorized user.
 MISFEASOR
 They are internal users.
 Limited permission
 Full permission but misuses.
 CLANDSTINE USER
 who seizes supervisory control
 Out sider

13/12/2010 4
Aim of the work:
 The main aim of the work is to capture netflow
normal data.
Launch various types of known attacks and
capture them.
Extract essential features and based on the
analysis of those build a strong rule based
Intrusion Detection Model.
 
13/12/2010 5
 ADAM
Audit data analysis and mining
The IDS ADAM has three modules.
Preprocessing Engine.
Mining Engine.
Classification Engine.

Preprocessing Engine.
Itsniffs TCP/IP traffic data and extracts information from the header of each
connection according to a predefined schema.
Mining Engine
Itcreates a database of association rules that have strong support for datasets
where there were no attacks. And constitutes training data for the system.

13/12/2010 6
 ADAM
Audit data analysis and mining
 Mining engine has three components-
 Single level mining
 Domain level mining

 Feature selection

Mining Engine works in two modes:-

 Training mode.
 Detecting mode.

13/12/2010 7
 ADAM
Generic Architecture training phase

Fig: Training mode of ADAM

13/12/2010 8
 ADAM
Training phase
 It takes place before the system use to detect
intrusions.

 This phase uses data stream of known attack.

 It creates a profile of the users and systems normal

behaviors and generates labeled association rules
which will be used to train the classification engine

13/12/2010 9
 ADAM
Generic Architecture Detecting phase

Fig: Detecting mode of ADAM

13/12/2010 10
 ADAM
Detecting Phase
 The detecting mode mines unexpected association
rules that are different from the profile.

 These rules along with the features extracted are fed

to the trained classifier.

 The classifier labels it as attack, normal or unknown

and passes the attack and unknown to the security
officer.

13/12/2010 11
Related Work
 Rule based approach.
 An approach in which some rules are defined for network
traffic.
 These rules are used to differentiate normal network
connections from anomalous connections.
 Anomalous connections refer to events with probability of
intrusions.
 The rules are usually have the following form
 if { condition } then { act}

 The condition usually refers to a match between current

network connection and the rules in IDS.

 The act field usually refers to an action defined by the

security policies

13/12/2010 12
 Rule based approach(conti…)
 For example, a rule can be defined as:
If {the connection has following information:
Source IP address124.12.5.18;
Destination IP address: [Link];
destination port number: 21;
connection time: 10.1 seconds
}
Then {stop the connection}
 The rules reflect the partially ordered sequence of
actions that comprise the intrusion scenario.
13/12/2010 13
MIDAS
Multics Intrusion Detection Alert System
 The MIDAS rule base grew to be very large, so it
was subdivided by the type of intrusion for which
each rule was designed to detect.
 It was designed to take some predefined action once
it detected an intrusion.
 Secondary set of rules were there to determine what
action should be taken by the system.
 The following rule(1) deals with an intrusion
scenario dealing with attempted privileged account
intrusions.
13/12/2010 14
•Multics Intrusion Detection Alert
System
Illegal privileged account access rule
(defrule illegal_privileged_account states
if there exists a failed_login_item
such that name is (“root” or “superuser” or “maintenance” or
“system”) and time is ?time_stamp and
channel is ?channel
then
(print “WARNING: ATTEMPTED LOGIN TO PRIVILEGED
ACCOUNT”)
and remember a breakin_attempt with certainty *high* such that
attack_time is ?time_stamp and login_channel is ?channel)

13/12/2010 15
•Multics Intrusion Detection Alert
System
Unusual login time rule
(defrule unusual_login_time states
if there exists a login_entry
such that user is ?userid and
time_stamp is ?login_time and
(unusual_login_time ?userid ?login_time)
then
remember a user_login_anomaly
such that user is ?userid and
time_stamp is ?login_time)

13/12/2010 16
•Multics Intrusion Detection Alert
System
Unusual login time rule
 The above intrusion scenario involves unusual login
times.
 This rule is used to determine when a login to an
account was made outside of “normal” hours.

 But the problems in MIDAS are:-

 Illustrates that the intrusion scenario describes unusual
behaviour that does not necessarily constitute an intrusion.
 Only the rules used to check for the initial steps in the intrusion
need to be fired.
 
13/12/2010 17
 People are working on two different
approaches in these field
 Packet level analysis

 Flow level analysis

 why Flow level

 Packet level network traffic grows in volume and
complexity
 Capture and decode every packets for traffic analysis is
one of the challenging task in a high speed network
 In analysis point of view, huge volume of data analysis
may not be efficient

13/12/2010 18
 Dataset Generation
 What is flow based traffic?

- A flow is a unidirectional series of IP packets passing

through an observation point in the network during
a certain time interval

- All packets belonging to a particular flow have a set

of common properties

13/12/2010 19
 NetFlow Traffic
 Originally developed by Darren Kerr and Barry Bruins
in 1996 as part of the Cisco IOS
 It is a network protocol based collection of
summarized IP traffic information
 A network flow is defined by 7-tuple of keys, where a
flow is defined as a unidirectional sequence of packets
 There are different NetFlow export options (i.e., v1, v5,
v7, v8, v9)
 Most common version of NetFlow is v5.
 Aggregate information from different packets in to a
flow
 A packet is belong to a flow if it completely satisfies all
the defined properties of the flow

13/12/2010 20
 Common Flow Parameters

13/12/2010 21
 Dataset Generation steps
 Capturing
 Flow caching
 Flow Collector
Preprocessing
Normalization
Feature extraction
Time-window based
Connection –window based

13/12/2010 22
 Flow example

13/12/2010 23
 Experimental study :
The Internet

SERVER Router1

Mirror port node Flow capturing

system
L 3 switch

workstation

L 2 switch L 2 switch

workstation

Attack generating
Attack generating
node
node

Fig: Our test bed

13/12/2010 24
 Capturing Tool
There are many NetFlow tools
available, however, we use the
following two tools:
-NFDUMP
-NFSEN

13/12/2010 25
NFDUMP
 Different command line options in NFDUMP

• Nfdump - main netflow dumping tool

• nfcapd - netflow capture daemon
• nfprofile - netflow profiler
• nfreplay - netflow replay
• [Link] - cleanup old data
• ft2nfdump - read and convert NetFlow traffic
data
13/12/2010 26
NFDUMP Internals :
It save a file save as [Link]

13/12/2010 27
NFDUMP
 nfdump reads nfcapd files and process as needed

 Parses pcap like filters (usually, protocol, packets, bytes,

pps, bps, bpp, duration etc.)

 It can aggregate NetFlows based on proto, prefix/length,

ASN, port etc.

 It can display top N number of NetFlows based on record,

ip, port, tos, as, if, proto etc.

 Nfdump also can visualize the NetFlows ordered by flow,

packet, bytes, pps, bps, bpp etc.
13/12/2010 28
 NFDUMP Raw output
Nfdump –r /home/kongkon/nfsen/profiles_data/live/upstream1/2010/11/10/
nfcapd.201011102310 -o raw –c 1

13/12/2010 29
13/12/2010 30
13/12/2010 31
 NFDUMP extended output
Nfdump –r /home/kongkon/nfsen/profiles_data/live/upstream1/2010/11/10/
nfcapd.201011102310 -o extended –c 25

13/12/2010 32
 Custom format of NFDUMP

13/12/2010 33
NFSEN (NetFlow sensor)
NfSen is a graphical web based front end for the nfdump
NetFlow tool

It can visualize NetFlow traffic data in different forms such

that, flow statistics, visual command line options etc.

NfSen can process the NetFlow data within the specified

time interval

13/12/2010 34
 NFSEN output(stacked graph)

13/12/2010 35
 NFDUMP output(line graph)

13/12/2010 36
 NFDUMP output(line graph)

13/12/2010 37
Known attacks used
 List of network attacks which are used for
network traffic analysis
 seen attack(-sS)
Xmass attack(-sX)
Tcpwindow attack(-sW)

 Tool using for generating above attacks

NMAP

13/12/2010 38
 Running NMAP(syn attack)

13/12/2010 39
 Captured data(syn attack)

13/12/2010 40
 Graphical view(syn attack)

13/12/2010 41
 Attack name Generating tool/code Train Dataset Test dataset
Bonk targa2.c Y Y
Jolt targa2.c Y Y
Land targa2.c Y Y
Saihyousen targa2.c Y Y
TearDrop targa2.c Y Y
Newtear targa2.c Y Y
1234 targa2.c Y Y
Winnuke targa2.c Y Y
Oshare targa2.c Y Y
Nestea targa2.c Y Y
SynDrop targa2.c Y Y
Octopus Octopus.c Y Y
KillWin Killwin.c Y Y
Twinge Twinge.c Y Y
Neptune FireHack Y Y
Dosnuke(NetBios) FireHack Y Y
Smbdie [Link] Y Y
LinuxICMP linux-icmp.c N Y
Moyari13 moyari13.c N Y
Sesquipedalian sesquipedalian.c N Y
Smurf smurf4.c N Y
OverDrop overdrop.c N Y
OpenTear opentear.c N Y
EchoChargen FireHack N Y

13/12/2010 42
 Flow based feature list(primary)
Sl. no. Feature name
1 Duration
2 Protocol
3 Source IP Address
4 Source Port
5 Destination IP Address
6 Destination Port
7 Flags
8 Tos (Types of Service)
9 Packets
10 Bytes
11 pps (packet per second)
12 bps (bit per second)
13 Bpp(Byte per packet)
13/12/2010 14 Status of the flow 43
 Preprocessed Dataset
(using C++ code)

13/12/2010 44
 Proposed plan of work:
Methodology and work to be done
We are interested to use rule based approach.
 Works are as follows
 Identify normal behavior (done)

 Construct useful set of features(done)

 Define & construct some efficient rules

 Use rule based IDS algorithm (Propose an suitable

algorithm)
 Implementation for experiment.

13/12/2010 45
PLANNED ARCHITECTURE OF THE MODEL
References
[1] [Link]
[2] [Link]
[3] Robert A “Intrusion Detection Methodologies.” A White Paper. Clyde AXENT
Technologies, Inc.
[4] [Link] and Z.J. Hass. Securing ad-hoc networks. IEEE
Network,136(6):24{30,Nov/Dec1999}
[5] [Link] and E.H. Spa_ord. A software architecture to misuse intrusion detection. In
Proceedings of the 18th National Information Security Conference, pages
194{204,1995. 
[6] Comparative study of intrusion detection technique for wireless lan.
[7] Arun K Pujari. Data Mining Techniques. Universities press.
[8] J., Heaney, J., Adkins, M. & Dolsen, G. (1989). Evaluation of Security Model Rule
[Link] Report. Planning Research Corporation. 

 

13/12/2010 47
References
[9] Anderson, J.P. “Computer Security Threat Monitoring and Surveillance.”
Technical Report, James P. Anderson Co., Fort Washington, Pennsylvania,
April 1980. 
[10] Denning, D. “An Intrusion Detection Model.” IEEE Transactions on
Software Engineering, 13.2 (1987) 222.
[11]Anita K. Jones and Robert S. Sielken. Computer System Intrusion
Detection: A Survey. .(2000). Charlottesville, VA 22903
[12] Sebring, M.M., E. Shellhouse, M. Hanna and R. Whitehurst. “Expert
Systems in Intrusion Detection: A Case Study.” Proceedings of the 11th
National Computer Security Conference, October 1988.
[13] Lunt, T., R. Jaganathan, R. Lee, A. Whitehurst and S. Listgarten.
“Knowledge-Based Intrusion Detection.” Proceedings of the 1989 AI
Systems in Government Conference, March 1989.

13/12/2010 48
References
[14] Liu Bin a, Lin Chuang a, Qiao Jian b, He Jianping a, Peter Ungsunan, “A
NetFlow based flow analysis and monitoring system in enterprise networks”
Journal Computer Networks: The International Journal of Computer and
Telecommunications Networking ,Volume 52 ,Issue 5, April, 2008 Pages
1074-1092
[15]. Sudhir N. Dhage, Member, IEEE, and Raman R. Bane, Member, IEEE.,”
Network Intrusion Detection System (NIDS) Using Data Mining Techniques”
Proceedings of SPIT-IEEE Colloquium and International Conference,
Mumbai, India 2007-2008
[16]. Varun Chandola, Eric Eilertson, Levent Ertoz, Gyorgy Simon and Vipin
Kumar “MINDS: ARCHITECTURE & DESIGN” Book chapter in Data
Warehousing and Data Mining Techniques for Computer Security, Springer,
2006 

13/12/2010 49
 THANK YOU

13/12/2010 50