See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/4041883

Network security monitoring - intrusion detection

Conference Paper · May 2003

DOI: 10.1109/SIEDS.2003.158030 · Source: IEEE Xplore

CITATIONS READS
12 446

6 authors, including:

Bill Scherer
University of Virginia
182 PUBLICATIONS 1,831 CITATIONS

SEE PROFILE

All content following this page was uploaded by Bill Scherer on 31 July 2015.

The user has requested enhancement of the downloaded file.

 Proceedings of the 2003 Systems and Information Engineering Design Symposium
Matthew H. Jones, Barbara E. Tawney, and K. Preston White, Jr., eds.

NETWORK SECURITY MONITORING – INTRUSION DETECTION

Janelle Davis
Eric Hill
Leah Spradley
Mitchell Wright
William Scherer
YiYi Zhang

Department of Systems and Information Engineering

University of Virginia

ABSTRACT formation about other parties within the enterprise. Cur-

rently, agencies within CapWIN combat attacks from
Current technology enables multi-faceted federations to in- outside intruders unilaterally. The following framework
crease the availability of privileged information. Unfortu- offers a solution to the integration of individual security
nately, the availability of such information also signifi- systems within the CapWIN enterprise.
cantly increases security risks. This paper presents a
system design for monitoring the security of an integrated 1. 1 Background
public safety network called Capital Wireless Integration
Network (CapWIN). CapWIN is a diverse mixture of pub- Presently, many organizations secure their networks with
lic and private networks that share information in order to the use firewalls in conjunction with Intrusion Detection
provide public safety and transportation services for met- Systems (IDS). A firewall separates a protected network
ropolitan Washington, DC. It is imperative that the mem- from an unprotected one by implementing a set of access
bers of integrated systems such as CapWIN be aware of the controls that restricts or allows traffic to enter the network
security status of the other participants in order to antici- (Curtin and Ranum). Intrusion Detection Systems function
pate security breaches and respond accordingly. As of as a secondary system designed to backup systems such as
now, there are few means by which the members of such firewalls, encryption, and authentication. A secondary sys-
systems can obtain real-time information pertaining to the tem is required in case a primary system’s rule set is not
security status of all other participating parties. The system updated correctly.
presented here integrates these disparate agencies by utiliz- Studies show that these two part security systems
ing existing security information available from each works well across a network of clients on the same server.
agency within the enterprise. However, there is not yet an efficient, reliable method for
simultaneously monitoring the security of disparate net-
works. The aforementioned obstacle is that security sys-
1 INTRODUCTION tems are usually tailored to the network they monitor.
Network intrusion detection systems deduce behavior
This paper describes a state-based approach to modeling based on the content and format of data packets on the
the computer security of a complex public safety network network (Durst). This means that the description of attacks
called Capital Wireless Integration Network or CapWIN. will be ambiguous according to different analyzers, which
CapWIN is a conglomerate between Maryland, Virginia, is the main difficulty with integrating security systems
and the District of Columbia to develop and deploy a wire- from disparate networks. Attacks are described differently
less network that incorporates transportation and public because IDS sensors do not detect the intrusions them-
safety databases and communications. Because of the di- selves, they detect evidence of intrusions and all analyzers
versity of the networks involved in CapWIN (i.e., a wide define evidence that constitutes an intrusion differently.
ranging collection of disparate participating networks of This allows for the same attack from separate IDS sensors
various capabilities and functionalities), the nature and to appear dissimilar. In order to overcome the ambiguity
scale of any security issue must be assessed with regard the across different analyzers, a standard data model for de-
entire system. As of now there is no means for participat- scribing attacks must be incorporated into the security
ing agencies of CapWIN to obtain real-time security in- monitoring system. Utilizing such a protocol enables the
241
 Davis, Hill, Spradley, Wright, Scherer, and Zhang

system to unequivocally interpret alerts from a variety of lyzers output. If the agency does not wish to provide any
analyzers (Cuppens). security data, ping, the simplest level of communication,
will be used to estimate that agencies security status. A
1. 2 Rational ping is a packet of information sent from one computer to a
target computer via IP addresses. When the packet of in-
The primary goal is to observe the integrated CapWIN sys- formation is sent back to the original sender, the time it
tem - a perspective that may not be achievable from any takes to travel round trip is recorded and examined to de-
one agency. “Mixed use” network models involve com- termine the status of the network and the availability of the
bining different networks into a single paradigm and de- target computer. Depending on the round trip time, one
scribing the nature of such integrated systems (Ghosh). can determine the security status of the target computer
This follows CapWIN’s structure of disparate pub- based on historic RTT values recorded from previous
lic/private, public safety/transportation networks. Security pings. If the packet of information is not returned, the user
administrators of networks, especially mixed-use networks, knows that the target IP address is down.
must consider the potential threats against his network, as- The developed ping program performs several simple
sess the likelihood of such events, and alleviate such risks. tasks as it executes. It first creates a file, which is named
This system evaluates the overall security by comparing based on the current time and date. The file names are
the relative security of the individual networks that com- saved in a military date/time group, which later becomes
prise it. Figure 1 demonstrates how the following compo- utilized by the database in order to refresh incoming data.
nents contribute to the entirety of the system: The program uploads a text file from a specific location
• The communications system allows for each partici- that contains information on both the agency identification
pating agency to provide individual security informa- number and its correlated URL address. This text file can
tion. be modified while the monitoring prototype is being exe-
• A data management system maintains the current and cuted, allowing the monitoring director to add or delete
historical information provided by the agencies. agencies from the network monitoring system or to modify
• An analytical service works with the database to per- existing agency information. Note that the file shows the
form necessary calculations for data analysis. URL address of each agency, not the IP address. This is
• A web-based interface presents the analysis to a sys- useful in pinging agencies that have more than one IP ad-
tem monitor and to member agencies. dress.
Next, the program executes a loop that pings each
agency while simultaneously writing the RTT value of
each ping to the file creating at the beginning of the pro-
gram. When the loop has executed pinging the last agency
on the uploaded agency URL list, it iterates again. As a
result, it writes a new file with the new military date/time
based and begins recording ping RTT values in the new
file. These files are continually saved to a folder on a re-
mote computer, where they await being sent to a specific
folder in another computer to be downloaded by the secu-
rity monitoring database.
As the ping log files are being compiled and saved, an
FTP (File Transfer Protocol) application automatically
transfers these files every minute to the specified folder
designated by the Capstone group database coordinator.
As a result, a virtual real-time feed of ping data is being
sent directly to the database, from which it can be cached
and manipulated and then visually displayed in the GUI.
In order to format the log files so that they are com-
Figure 1: General Security Monitor Diagram patible with the security monitoring database, the files are
saved in a comma separated value file (.CSV file). The
first set of characters represents the agency identification
2 DATA RETRIEVAL number, denoted by a value ranging from 1 to 35. The
second set of characters represents the RTT value of the
Agencies will choose from the following communications ping sent through the network. It is important to mention
options: An agency can send security data via SMTP, that a returned value of 0 or –1 means that a successful
FTP, or Direct Transfer. The security data can range from RTT could not be recorded. The last set of digits is a mili-
a single integer to highly detailed log files from their ana-
242
 Davis, Hill, Spradley, Wright, Scherer, and Zhang

tary date time group, which helps to synchronize both the security states of all agency members. StateCalc also cre-
ping software and the database link to the GUI. ates the records use to generate the graphs shown in the
GUI, which are the same record used by the historyUpdate
3 DATA PROCESSING function. HistoryUpdate runs once every 24 hours. Tak-
ing the state records for the past 24 hours, historyUpdate
Upon transfer of security information, processing begins. updates the fields of the histSum table (see Database sec-
Regardless of the chosen communication, combination, a tion). A slightly smaller function, stddev, is used by his-
service calculates a security state score every two minutes toryUpdate for all standard deviation calculations.
for each member. The CapWIN Security Monitor (CSM)
processing service is a Visual Basic applications developed 4 DATABASE STRUCTURE
in three main modules: Database Module, File Processing
Module and Calculation Module. The processing service The CapWIN Security Monitor database, capwindb, is
was designed modularly for encapsulation purposes. The mySQL based and consists of 13 tables. These tables in-
main three modules are explored in detail in the following clude member, contacts, favorites, category_lkp, attrib-
sections. ute_lkp, attribute_value, ping_data, state, securitystate_lkp,
histSum, timex and calendar. Figure 2 contains a diagram
3.1 File Processing Module of the database layout, table fields and relationships.
While designing the capwindb we focused on query time
The file procession module performs all file procession op- and space efficiency, while ensuring that it would support
erations, including searching for files (placed in a specific not only the current developing system and requirements,
folder by the FTP server), opening files, copying files and but also future expansion options.
deleting files. Three main functions comprise the file pro-
cession module: Get_files, LoadPingFiles and MoveFiles.
Get_files searches a predetermined folder (c:/web/files/log)
for log files and stores the direct addresses and filenames
in a list, List1. LoadPingFiles facilitates the loading of all
the files stored in List1 by use of database module func-
tions. Finally, MoveFiles, moves each individual file from
the log file folder (c:/web/files/log) into the processed
folder (c:/web/files/processed).

3.2 Database Module

The database module facilitates all interaction with the ac-

tual database. Major functions include connecting to the
database, disconnecting from the database, sending data-
base commands, and returning Adobe record sets. Data-
base module is actually a class module, with three main at-
tributes (private variables) and four member functions.
The database class attributes include adoConn (an
Adobe database connection), adoRS (Adobe record set),
and blnInitialized (Boolean variable). AdoConn and
adoRS serve as the database connection and record set in
all member functions throughout the database class. At
any given time, blnInitialized contains a true value if the
database is connection is initialized and false if the connec-
tion is not initialized.

3.3 Calculation Module

.
The Calculation module handles all moving average, stan- Figure 2: Capwindb database relationship diagram.
dard deviation and state calculations necessary for the ana-
lytical displays in the graphical user interface (GUI).
MdlCalc, the calculation module, has three main functions;
stateCalc, historyUpdate and stddev. The stateCalc func-
tion is run about every two minutes to calculate the current
243
 Davis, Hill, Spradley, Wright, Scherer, and Zhang

5 GRAPHICAL USER INTERFACE impossible to determine, the latency used for the time plot
is calculated by taking the mean latency of several differ-
ent “stable” sites. The pool of “stable” sites consists of a
5.1 Overall System Score Time-Series Plot mix of government or big business sites, such as Micro-
soft.com, that are known to have a substantially large
The Home view or the view that first appears after the user server and high-level security.
logs in, is a time-series plot of the overall system score. By keeping track of how fast packets are returned
The x-axis covers a 24-hour time period in military hours from the “stable” sites in comparison to past behavior, the
starting at 0:01 and ending at 24:00 (midnight). A full day ISMS can estimate the status of the network in general.
is shown so that the user can visualize any pattern that oc- Visualizing the current state of the network allows the user
curs on a daily basis. Later developments of the ISMS to compare the overall security of CapWIN with the rela-
may include options for the user to set his own time scale tive speed of the network to look for correlations. For ex-
in order to see shorter or longer periods of time on one ample, if the CapWIN score is above the red line, and the
plot. The y-axis, representing the overall system score, network status is also above the red line, this indicates that
ranges from zero to one and is the normalized weighted the delay of the CapWIN system is probably due to the
average of all the individual agency scores. The page network itself. However, if the client sees that the network
automatically refreshes every two minutes, ensuring that is behaving normally, he/she can be assured that the irregu-
the plot displays the most current data. A red horizontal larity of the CapWIN system is not related to network con-
line specifies the lower limit of Level 5, signifying compo- gestion and, instead, signifies a potential targeted threat.
nent/components of the system is under a major threat.
Similarly, a score between the orange and red lines indi-
cates that the system is in Level 4 which is complete isola- 5.3 System to Network Ratio Plot
tion of all sub-systems.
The System to Network Ratio Plot lets the client quickly
determine whether or not the CapWIN system is behaving
similarly to the entire network. This plot is a ratio of the
CapWIN z-value over the network z-value. A value close
to one indicates that the CapWIN system and the network
are both performing similarly (this could mean both are
behaving normally or abnormally). A value between zero
and one indicates that the network is behaving abnormally
and CapWIN is not. The ratio is greater than one when
CapWIN is performing abnormally and the network is not.
Because the ratio has a great number of possible values and
the system is mainly concerned with values less than or
greater than one, any value greater than two has been trun-
cated to two. A negative z-value means that the historical
ping latency is greater than the current ping latency.
Therefore, a negative ratio implies that either the system or
the network is performing faster than it has in the past.
Figure 3: GUI Screenshot
The user should be most concerned when the ratio is ap-
proaches positive or negative two. This is because a large
absolute value of the ratio increases the likelihood that the
5.2 Current Network Status Time-Series Plot
irregularity of the CapWIN system is not related to net-
work congestion.
A link labeled Network Status located in the top left corner
causes a pop-up window to appear. This window shows
the current behavior of the network in comparison with
5.4 Technical Details of Time Plots
past behavior by plotting a z-value over a 24-hour time pe-
riod. As previously discussed in Chapter 4 the z-value (y-
The time series plots are created using HTML (Hypertext
axis) is determined by subtracting the historical mean ping
Markup Language), ASP (Active Server Pages), and SVG
latency with the current ping latency and dividing by the
(Scalar Vector Graphics). HTML code is used to format
standard deviation.
and display all static images. SVG is a language for de-
Ping latency is the amount of time (usually in ms) it
scribing two-dimensional vector graphics, meaning that
takes for a packet to return from an IP address. Because a
with SVG every object on a page is drawn using (x,y) co-
precise measurement of latency across the entire network is
ordinates (Bowler, et al). Each time plot is an SVG docu-
244
 Davis, Hill, Spradley, Wright, Scherer, and Zhang

ment that is re-created every time a page is loaded. ASP Cuppens, F. and R. Ortalo. Lambda: A language to model a
code is used to pull necessary information such as z-values, database for detection of attacks. In Proceedings of the
system scores, and times from the database and store it for Third International Workshop on the Recent Advances in
temporary use. Finally, a linear equation converts these Intrusion Detection (RAID'2000), October 2000.
values into the appropriate (x,y) coordinates. These coor-
dinates are determined every two minutes when the page Curry, D. and Debar, H. “Intrusion Detection Message Ex-
refreshes and are used to draw the time plot path. change Format: Extensible Markup Language (XML)
Document Type Definition,” http://www.ietf.org.internet-
drafts/draft-ietf-idwg-idmef-xml-06.txt, Dec. 2001.
5.5 Geographical Map
Curtin, Matt. and Ranum Marcus. “Internet Firewalls:
The geographical map link, illustrated in Figure 7, opens a FAQ”. www.internethack.net\pubs\fwfaq, 2000
map of Metropolitan DC with the name of each CapWIN
agency in its relative location. The color of the agency Durst, Robert, et al. “Testing and Evaluating Computer
name indicates the agencies security state: Black (1), Yel- Intrusion Detection Systems.” Communications of the
low (2), and Red (3). Displaying the relative geographic ACM July 1999: 53- 61.
locations of agencies allows users to easily identify if an
attack is concentrated in a particular area. If the attack is Ghosh, S. Principles of Secure Network Systems Design.
recognized as corresponding to a specific section on the Springer, New York, 2002.
map, then other agencies in close proximity can react ac-
cordingly. An additional feature may be for a text box that Graham, Robert. FAQ website.
contains detailed security information to appear when the <http://www.robertgraham.com/pubs/network-intrusion-
user rolls the mouse over each agency name. Future de- detection.html> October 19, 2002.
velopments may also incorporate shaded sections of the
map indicating the status of districts within CapWIN. For ITS America, What is ITS?, 2002.
example, the Arlington District would include the Arling- http://www.itsa.org/whatits.html. Accessed July 23, 2002.
ton Police, Fire and Transportation departments.
Kemmerer, R.A. and Vigna, G. “Intrusion Detection: A
Brief History and Overview.” IEEE Symp. Security and
6 CONCLUSION Privacy, IEEE CS Press, Los Alamitos, Calif., 2002, pp.
27-29.
This paper has explained the design of a security monitor-
ing system for an integrated network comprised of dispa- Ogden, R.T., (1997) Essential Wavelets for Statistical Ap-
rate public safety and transportation systems. The pro- plications and Data Analysis, Birkhauser.
posed system provides each participant with an overview
of the status of the entire system. Future advancements of Packer, Ryon. “A Basic Guide to Intrusion Detection.”
this project should focus on further development of the use White Papers. August 2001: 1-8.
of XML Schemas to incorporate higher levels of informa-
tion into the monitoring system. More sophisticated data Scherer, William T., et al. “Integrated ITS Security Moni-
could result in more detailed analysis and evaluation of the toring- A State Based Data Fusion Approach.” Submitted
true security state of the overall system. Also, with the use to the Transportation Research Board. Submission Date:
of more sophisticated data, alerts could be correlated using July 2002.
clustering techniques, allowing for different types of visu-
alization for the data. Scherer, William T., Spradley, Leah L., Evans, Marc H.
“Integrated “Mixed” Networks Security Monitoring – A
Proposed Framework.” Submitted for an Independent
REFERENCES Study. February 10, 2003.

Bowler, et al. Scalable Vector Graphics (SVG) 1.0 Speci- Sherif, Joseph and Dearmond, Tommy G. Intrusion Detec-
fication. W3C Recommendation 04 September 2001. tion: Systems and Models. Proc. Of the Eleventh IEEE In-
http://www.w3.org/TR/SVG/. Accessed January, 2003. ternational Workshops on Enabling Technologies: Infra-
structure or Collaborative Enterprises, 2002. VDOT,
CapWIN. Roles, 2002. http://www.capwinproject.com/. Planned changes FY2002 environment, Enterprise comput-
Accessed July 23, 2002. ing Environment, Virginia Department of Transportation
(VDOT), May 30, 2001.

245
 Davis, Hill, Spradley, Wright, Scherer, and Zhang

“Whatis.com” 5 September 2002 JANELLE DAVIS is a fourth year Systems and Informa-
<http://www.whatis.com/> tion Engineering undergraduate student at the University of
Virginia. She has experience in database administration,
AUTHOR BIOGRAPHIES web design, web system development, application devel-
opment and testing. In addition, her corporate experience
ERIC S. Hill is a fourth-year Systems Engineering under- has prepared her well to face numerous issues arising in
graduate student at the University of Virginia. As a Sys- information technology based projects. She can be contact
tems Engineering undergraduate, he has studied computer at <[email protected]>
networks. He can be contacted by e-mail at
<[email protected]> DR. WILLIAM T. SCHERER is an Associate Professor
of Systems and Information Engineering at the University
LEAH SPRADLEY is a fourth year Systems and Informa- of Virginia. His current research interests include Intelli-
tion Engineering undergraduate student at the University of gent Transportation Systems, Markov decision processes,
Virginia. She plans to work in the Information Security systems engineering methodologies, and engineering edu-
Department of BBN Technologies after graduating. She cation.
can be contacted at <[email protected]>

246

View publication stats