Danger Theory Concepts Improving Malware Detection of Intrusion Detection Systems that uses Exact graphs

Transcription

1 2015 International Conference on Computational Science and Computational Intelligence Danger Theory Concepts Improving Malware Detection of Intrusion Detection Systems that uses graphs Suhair Amer Department of Computer Science, Southeast Missouri State University, One University Plaza, Cape Girardeau, MO, USA Joshua Leonard Department of Computer Science, Southeast Missouri State University, One University Plaza, Cape Girardeau, MO, USA Abstract-This paper describes the development of an intrusion detection system (IDS) that incorporates ideas of danger theory which enhances the IDS s performance when compared to not using danger theory. Both systems use Graphs to store the series of system calls in the database. Both the original and enhanced IDSs were first trained using a series of normal system calls. In the enhanced IDS, the system also responds to hardware signals changes which correspond to danger signals. Results of the comparison show that the danger theory enhanced system outperforms the original system. Keywords: IDS, danger theory, exact graph, anomaly detection. I.INTRODUCTION As our everyday lives have become more intertwined with the digital world, security is becoming essential. Several approaches have been taken to defend our systems from becoming compromised. For example, the performance of modern computing systems improved the computational overheads imposed by system call monitoring. It, also, made system calls an important data source for process anomaly detection systems. IDSs use system calls to monitor an application for signs of intrusion and possibly alert an operator. Detection can be done in real-time or offline. Offline detection audits previously gathered log files. Some real-time systems automatically take measures to actively prevent an attack. These include denying suspicious system calls or delaying their execution. IDSs which actively respond to an intrusion are called intrusion prevention systems [5]. One of the most common approaches to anomaly based intrusion detection is to defend against a series of unsafe or unauthorized system calls. Approaches used to detect unsafe system calls include misuse, anomaly, and specification-based detection [14]. Misuse detection saves series of system calls that are known to be dangerous in a database. In detection mode, currently processed system calls are compared against the database and if a match is found, an intrusion is flagged. This system produces no false positives, but it may miss attacks that produce false negatives [14]. Anomaly detection uses a training period to define normal behavior. The system saves patterns that are known to be safe in a database [5]. If the currently processed system call matches any in the database, then it is allowed. If it does not, then it is flagged as an anomaly and is marked as unsafe. Anomaly detection can detect all foreign system calls but can produce many false positives. It is also difficult to add a new safe pattern to its database [14]. Specification-based detection is similar to Anomaly detection in that it detects a series of system calls that are not included in the safe database. However, the specification-based detection sends the non-matching system call sequences to a machine-level classifier. The classifier will either flag it as unsafe or add it as a new behavior to the safe series list [14]. This system is able to recognize new attacks, while at the same time is able to adjust to new safe uses without the need for user input. The human immune system has many complex characteristics that enable it to protect humans while adapting to the environment. It uses both the innate immune system and adaptive immune system. The specification-based intrusion detection systems are built on theories borrowed from the human immune system. The Human immune system keeps a record of the antigens that it has encountered before. At the same time from the adaptive aspect, the Dendritic Cells encounter antigens and classify them. Until recently it was thought that the immune system classified antigens by a process of belonging to self or non-self. However, Danger Theory states that the immune system not only distinguishes antigens as self or non-self, but also as safe or non-safe [1][ 20]. In this paper we test this idea which is borrowed from Danger theory to enhance the performance of an IDS that uses Graphs to store sequences in its database /15 $ IEEE DOI /CSCI

2 II.RELATED WORK IDSs are software systems designed to identify and prevent the misuse of computer networks and systems. James Anderson was one of the first people to discuss IDSs [3]and Dorothy Denning was the first to discuss an IDS implementation [8]. There have been attempts to classify IDSs such as in the works of [4][ 5][ 7] where an IDS is classified in two classes: misuse and anomaly detection. The misuse detection approach examines network and system activity for known misuses using, for example, a pattern-matching algorithm. The anomaly detection approach compares currently processed system calls against a profile of normal network or system behavior. Any system call that does not match to this profile is considered anomalous. Both approaches have strengths and weaknesses. Misuse-based systems generally have very low false positive rates, but they are unable to identify novel attacks, which leads to high false negative rates. Anomaly-based systems are able to detect novel attacks but produce high number of false positives because they don t process real world normal and legitimate computer usages that might have changed over time [10]. IDSs can also be classified according to their placement which can be as host-based, network-based or hybrid systems. Host-based systems are placed on each monitored host, and collect log files of the host s operation, network traffic to and from the host, or information of processes running on the host [18]. The network-based IDSs monitor the network traffic on the network containing the hosts to be protected, and are usually run on a separate machine [11]. Host-based systems are able to determine if an attempted attack was indeed successful. It can also detect local attacks, privilege escalation attacks and attacks which are encrypted. However, they are difficult to deploy and manage, especially as the number of hosts increase and they are unable to detect attacks against multiple targets of the network. Network-based systems are able to monitor a large number of hosts with relatively low deployment costs, and are able to identify attacks to and from multiple hosts. However, they are unable to detect whether an attempted attack was indeed successful, and are unable to deal with local or encrypted attacks. Therefore, hybrid systems, which incorporate host- and network-based elements, can offer the best protective capabilities to protect against attacks from multiple sources [10]. The Human Immune System (HIS) is a robust, complex, adaptive system that defends the body from foreign pathogens. It categorizes cells within the body as self-cells or non-self-cells [6][ 2][9]. The immune system is a multi-layered defense system that protects living organisms from disease. These layers consist of physical barriers and specialized cells that can recognize and kill antigens. The mechanical and chemical barriers such as skin, mucous secretions and enzymes with their changing ph and temperature features provide the first line of defense against antigens. Bacteria on the skin surface are generally unable to pass through the skin barriers. The second line of defense is the innate immune system and it consists of a family of cells that recognize, attack, and then kills antigens. The innate response is non antigen-specific and it fights against any infection without the need of previous immunization. It has two different actions: rapid action and a medium to slow action performed via inflammation or by natural killer (NK) cells [13]. When the innate system fails, an infection is established and the acquired immunity starts to develop. The acquired immune response is based on a complex learning process that makes the immune system adaptively acquire better immunity during its lifetime [2]. The human immune system features that are relevant to intrusion detection are matching, diversity and distributed control. These processes depends on two important white blood cells called T-cells and B-cells. The T-cells are of three types: helper T-cells which are essential to the activation of B-cells. Killer T-cells bind to foreign invaders to destroy them. Suppressor T-cells inhibit the action of other immune cells, preventing allergic reactions and autoimmune diseases. B-cells are responsible for the production and secretion of antibodies, which are specific proteins that bind to the antigen [6][2][ 9]. Danger theory has been used to implement different systems such as solving classification problems [21], risk assessment [19], spam [17], and virus detection [12]. III.DESIGN In this paper, two anomaly based intrusion detection systems are built. The original system does not incorporate danger theory ideas. Then the original system is compared with an enhanced system that uses some of the Danger Theory functionalities. Since we testing if using concepts from danger theory would improve detection, the IDS s algorithm was a simple one. System calls were read and repeated sequences were stored to the underlying graph which was an Extended Action or Graph [16]. This graph kept connections between nodes when a series of calls connected them. Between every set of nodes was a bit array containing binary ones and zeros. In matching mode, the list of starting nodes was checked for the first node of the sequence. If this node did not exist, there was no match. After the initial match, the new sequence initialized a bit array of all 1 s. The sequence is traversed within the graph and at every transition a bitwise AND was performed between the transition bit array and the sequences local bit array. If at any time the local bit array was all zeros, the sequence was not a match. However if the sequence completed with at least one binary one

3 remaining, the sequence was confirmed as a match. To insert new sequences, we start by checking if the sequence does not already exist. If this was indeed a unique and new sequence, the first node is added to the list of start states. The sequence is given a bit array one digit longer than the bit arrays currently in the graph. The leftmost digit of this local bit array was marked as a one and the rest marked as a zero. The sequence was then traversed assigning the result of a bitwise OR between the transition bit array and the local bit array back to the transition bit array [15]. Once the original IDS was implemented, verified and tested, we started enhancing it to include functionalities borrowed from Danger Theory. This included the ability to read hardware signals and differentiate between safe and unsafe hardware states. The system would then allow unknown sequences to be stored if considered safe, or flagged as a threat if considered unsafe. IV.IMPLEMENTATION This project was implemented in C++ using Microsoft's Visual Studio compiler. This project made use of some C++11 features available only in recent compilers, namely std::regex and used the boost library's dynamic_bitset. The first phase involved implementing the underlying intrusion detection system. After considering several options, an anomaly-based detection was chosen and in particular, using an underlying graph for its ability to store sequences quickly and compactly, while still allowing checks against the graph in a fast manner. We chose the Extended Action Graph, or Graph [16]. This graph was implemented to store series of system calls as required by the IDS. After the Graph was implemented, the IDS was built around it. Functions were implemented to train the IDS as well as to examine series of system calls, comparing them to the series present in the Graph. The system was then fully functional as an IDS, with the ability to differentiate between self and non-self. Once the IDS was implemented and functional, another version was implemented that was the enhanced system with Danger Theory functionalities. The system read hardware signals, such as the percentage of used CPU time and percentage of space used in RAM. These signals were read at predetermined intervals and were used to differentiate not only self from non-self but also safe from non-safe states. CPU and RAM data had a predetermined threshold and when these thresholds were reached the system was considered under distress. We tested the system against 4 scenarios. In the first scenario, the system call was flagged and recognized with no danger signals present. In the second, the system call was flagged and recognized with danger signals present. In the third, the system call was not flagged and unrecognized with no danger signals present. In the fourth, the system call was flagged and unrecognized with danger signals present. In the first scenario, the clears the sequence as safe and since there are no danger signals present, the sequence is determined to be safe. No further action is taken. In the second scenario, the sequence is stored temporarily and quarantined. If the system continues presenting danger signals continuously for a predetermined amount of time, the sequence is flagged as an attack, and the system is alerted. Otherwise, if the danger signals fall out (the system returns to normal) the sequence is allowed. In the third scenario, the sequence is once again stored temporarily and quarantined. If within a predetermined time-frame danger signals are detected, the sequence is flagged as unsafe and the attack is reported to the system. However, if the system remains danger free for this time period, the sequence is considered safe and is inserted as a new safe sequence into the graph. This ability to add new safe sequences to the system gives this system flexibility that traditional anomaly-based detection systems do not have [14]. This system can adapt to new safe behaviors that take place while ideally recognizing new attacks. In the fourth scenario, the sequence is foreign and danger is recognized. The sequence is flagged as dangerous and the attack is reported to the system. V.RESULTS Both the original IDS and the enhanced IDS were tested using data found at [ Each system was trained using one training file and then tested against the homegrown Trojan attacks as well as the recovered Trojan attacks. In addition to these known attacks, the systems were also tested against another training data file (which was free of attacks) and a file which simulated a Denial of Service attack, making over thirteen-thousand system calls. When testing against the homegrown attacks, the original IDS classified all 1617 sequences as unsafe. Similarly, with the recovered data, all 1512 sequences were recorded as dangerous. When the second safe training data file was tested against the original IDS, the IDS

4 classified all 3373 of its sequences as anomalous. When given the challenge of the Denial of Service attack (DoS), the original IDS classified 8 attacks from a total of Testing the enhanced IDS was more strenuous. Since the enhanced system takes not only system calls but also data relating to danger signals [1], more testing was done to determine the effect of different patterns of danger signals. For both the homegrown and recovered attacks, the system was tested three times using three different sets of hardware signal data. The first set was data in which the hardware usage oscillated up and down in a pseudo-random fashion. The second set was data in which the hardware exhibited no unsafe danger signals. The third set was data in which the hardware exhibited exclusively unsafe danger signals. For the testing against homegrown attacks with the pseudo-random danger signals, the system reported 70 attacks from the 1617 sequences processed, and deemed 219 sequences safe enough to be saved into the system. With safe signals, no attacks were reported and the number of sequences inserted into the collection of safe sequences rose to 250. When given unsafe signals, the system identified each of the 1617 sequences as unsafe. When the enhanced system was tested against the recovered attacks the results were similar. 29 of 1512 sequences were identified as unsafe with pseudo-random danger signals, while 145 sequences were stored as safe. With safe signals, no attacks were reported and 159 sequences were added to the safe sequence collection. With unsafe signals, each of the 1512 sequences were determined to be attacks. When the system was tested with the second training data file, the system was passed safe signals, as training the system is assumed to be a safe process. The system reported none of the 3373 sequences as attacks while managing to add 545 new sequences to its collection of safe sequences. When the system was tested against the Denial of Service attack, a danger signal data set was given that started out as safe, rose slowly to unsafe levels, and then slowly sank back down to being below the danger signal threshold. The system determined that 1228 of the system call series were attacks. Results are shown below in (Tables I-V). TABLE I: BEHAVIOR OF ORIGINAL SYSTEM AND DETERMINING HOW MANY SYSTEM CALLS WERE CLASSIFIED SAFE/UNSAFE WHEN COMPARED TO SEQUENCES TESTED. TESTED AGAINST THE HOMEGROWN TROJAN ATTACKS, RECOVERED TROJAN ATTACKS, TRAINING DATA FILE (WHICH WAS FREE OF ATTACKS) AND Original IDS Homegrown Recovered Training DoS TABLE II : BEHAVIOR OF ENHANCED WITH RANDOM SIGNALS SYSTEM AND DETERMINING HOW MANY SYSTEM CALLS WERE CLASSIFIED Random Signals Homegrown Recovered Training 3373 X X X DoS X X X TABLE III: BEHAVIOR OF ENHANCED WITH SAFE SIGNALS SYSTEM AND DETERMINING HOW MANY SYSTEM CALLS WERE CLASSIFIED Signals Homegrown Recovered Training DoS X X X

5 TABLE IV: BEHAVIOR OF ENHANCED WITH DANGER SIGNALS SYSTEM AND DETERMINING HOW MANY SYSTEM CALLS WERE CLASSIFIED Danger Signals Homegrown Recovered Training 3373 X X X DoS X X X TABLE V: BEHAVIOR OF ENHANCED WITH PEAKING SIGNALS SYSTEM AND DETERMINING HOW MANY SYSTEM CALLS WERE CLASSIFIED Peaking Signals Homegrown 1617 X X X Recovered 1512 X X X Training 3373 X X X DoS VI.CONCLUSION When comparing the original system with enhanced systems we notice the following: First, the original IDS performs very well when tested against actual attack data, as it is very unlikely to produce false negatives. However, when subjected to the second training data file (being in dangerous state), its weakness was its inability to differentiate safe from harmful. In addition, since the Denial of Service attack used only known sequences, the system was unable to detect that an attack was being made. The Intrusion Detection System enhanced with Danger Theory also showed merits and demerits. The effectiveness of the system depended on the danger signals detected and its duration. In the tests against the homegrown and recovered attack data, some attacks were detected when there was a mix of safe and unsafe danger signals. When danger signals were present, the system picked up on all attacks. However without a constant stream of unsafe danger signals, the system did produce a large number of false negatives and was considering attacks as safe. The enhanced IDS showed merits in the second training data test and the DOS attack. Because the system depends on danger signals, it can adapt and learn new safe behaviors. Because this system uses information about the hardware, it is uniquely suited to pick up on Denial of Service attacks. When the danger levels rose, the system identified that it was under attack and flagged each of the attacking system call series until the danger levels fell back to a level indicating the attack was over. In addition, the enhanced IDS used no additional memory and very little CPU time. In the future, the system could be enhanced by adding a second layer of classification to confirm the decisions influenced by the danger signals. Stricter rules could also be used to determine when to insert a sequence in to the known safe sequence collection. To help prevent unsafe sequences from being added as safe sequences into the graph, a second preliminary tree could be kept. The system would insert new safe sequences into this tree temporarily, and confirmation would need to be given (perhaps by several repetitions of the new sequence) before the sequence is moved to the system s live graph. REFERENCES [1] U. Aickelin, S. Cayzer (2002). The Danger Theory and Its Application to Artificial Immune Systems. Proceedings of the 1st International Conference on Artificial Immune Systems, [2] U. Aickelin and D. Dasgupta. Artificial Immune Systems Tutorial. To appear in Introductory Tutorials in Optimization, Decision Support and Search Methodology (eds. E. Burke and G. Kendall), Kluwer [3] J. P. Anderson. Computer Security Threat Monitoring and Surveillance. James P. Anderson Co., Fort Washington, PA, [4] S. Axelsson. Research in intrusion-detection systems: a survey. Technical report Department of Computer Engineering, Chalmers University of Technology, December [5] S. Axelsson (2000). Intrusion Detection Systems: A Survey and Taxonomy. [6] D. Dasgupta. Immuno-Inspired Autonomic System for Cyber Defense. Computer Science Technical Report, May, [7] H. Debar, M. Dacier, and A. Wespi. A revised taxonomy of intrusion-detection systems. Annales des Telecommunications, 55:83-100, [8] D. E. Denning. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 13(2): , [9] S. A. Hofmeyr. An Interpretative Introduction to the Immune System. In: Segel, L.A., Cohen, I.R. (Eds.), Design Principles for the Immune System and Other Distributed Autonomous Systems, Oxford University Press, New York. pp [10] J. Kim, P. Bentley, U. Aickelin, J. Greensmith, G. Tedesco and J. Twycross. Immune System Approaches to Intrusion

6 Detection - A Review. Natural Computing, Springer, in print, [11] J. Leach and G. Tedesco. Firestorm network intrusion detection system. Firestorm Documentation, [12] T. Lu, K. Zheng, R. Fu, Y. Liu and S. Guo. A Danger Theory Based Mobile Virus Detection Model and Its Application in Inhibiting. Virus. Journal of Networks, Vol.7, No.8. August; p [13] A. Pagnoni and A. Visconti. An innate immune system for the protection of computer networks. In Proc. of the 4th International Symposium on Information and Communication Technologies, pages Trinity College Dublin, [14] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou (2002). Specification-based anomaly detection: A new approach for detecting network intrusions. ACM, 18(22). [15] N. Stakhanova, S. Basu, R. Lutz, and J. Wong (2006). Automated caching of behavioral patterns for efficient run-time monitoring. In: Proceedings of the IEEE International symposium on dependable, autonomic and secure computing, [16] N. Stakhanova, S. Basu, and J Wong (2009). On the symbiosis of specification-based and anomaly-based detection. Cose, 1(16). [17] N.F. Sulaiman, and M.Z. Jali. Integrated Mobile Spam Model Using Artificial Immune System Algorithms. Knowledge Management International Conference (KMICe); p [18] Y. Xie, H. Kim, D. R. O'Hallaron, M. K. Reiter, and H. Zhang. Seurat: A pointillist approach to anomaly detection. In RAID, pages , [19] K. Zainal and M. Z. Jali. "A Perception Model of Spam Risk Assessment Inspired by Danger Theory of Artificial Immune Systems."Procedia Computer Science 59 (2015): [20] M. Zekri, L. Souici and Meslati. Immunological Approach for Intrusion Detection. ARIMA Journal, Vol.17; p [21] C. Zhang and Z. Yi. A danger theory inspired artificial immune algorithm for on-line supervised two-class classification problem. Neurocomput., 73: , March