Analysis of TCP Segment Header Based Attack Using Proposed Model

Transcription

1 Chapter 4 Analysis of TCP Segment Header Based Attack Using Proposed Model 4.0 Introduction Though TCP has been extensively used for the wired network but is being used for mobile Adhoc network in the transport layer. As there is no complementary protocol available for providing the connection oriented services in the wireless Adhoc network. In this chapter common possible attacks using TCP segment header are summarized in both for wired and wireless TCP. Further features are extracted to identify the individual attacks, and then statistics are employed for further training and testing. After training of the training data set a model file is generated, which has a high confidence value and used for testing to generate the prediction file for detection of an intruder or friend. Test data set is adopted to check the accuracy of the model file, which is detection engine. Higher rate of true positive and true negative accuracy leads to improved results. The idea for introducing this chapter is from the 1998 DARPA intrusion detection evaluation program [59], where an environment was set up to acquire raw TCP/IP dump data for a network by simulating a typical U.S. Air Force LAN. The LAN was operated like a real environment, and is blasted by multiple attacks. 33

2 4.1 Attacks using the TCP Segment Header Using TCP segment header attack types falls into three main categories: Denial of Service Attack There are various types of DoS attacks are possible. But for this chapter we consider the case of the TCP / IP header only. If Segment Header with full capacity and start hour is busy hour and RST bit is ON Guest / Remote to Local (R2L) Login Attack (unauthorized access from a remote system) An attacker, who does not have rights of authentication on a targeted node, gains local access to extract files from the system, or modifies data in transit to the system. If TTL is the same for the different packets with FIN bit is ON and RST bit is on Probing: surveillance and other probing a. Ping sweep/ IP Sweep Ping (beacon signal) sweep is a technique used to identify which range of IP addresses map to live node. In this ICMP ECHO request are sent to multiple hosts. If a given address node is live, it will reply with an ICMP ECHO. A ping command is often used to verify that a network device/node is functioning or not. b. Port Sweep Port sweep is a method to probe a server or host for open ports and not the working ports to launch the zombie attack. If TCP/IP header by default or minimum value and SYN/FIN bit is ON. c. SYN Scan SYN scan is another form of TCP scanning. The port scanner software generates raw IP packets, and then monitors the responses from the targeted node. This scan type is called as "half-open handshaking". Exactly as it never opens a full TCP connection. The port scanner software generates a SYN packet. If the targeted node port is open, it will reply with a SYN-ACK packet. The scanner node will reply with a RST packet, and thus closing the connection before handshaking completed. d. SYN Scan with FIN SYN scans are not surreptitious enough; firewalls are present in general (for the wired network). Scanning and blocking packets in the form of SYN packets are possible by the 34

3 firewall. FIN bit ON packets are able to pass through firewalls without any modification. Closed ports from the targeted node will reply to a FIN packet with an appropriate RST packet, whereas open targeted ports will ignore the packets. 4.2 Methodology For training and testing of data set in this research employed support vector machine (SVM) is used as it is the best among the tools available [59], [63], [64], [65], [66], and [67]. SVM is used for solving a variety of learning, classification and prediction problems. SVM is a learning system that uses a hypothetically a space of linear functions. Training is given to the training data set with a learning algorithm from optimization based theory. This learning strategy introduced by Vapnik et al. [60], is a very powerful method that has been applied in a wide variety of applications. The basic SVM deals with a two-class problems in which the data are separated by a hyper plane defined by a number of support vectors. Support vectors are a subset of training data used to define the boundary between the two classes shown in Figure 4.1. Kernel function plays an important role in SVM, in practice, various kernel functions can be used, such as linear, radial, polynomial or sigmoid as per the complexity of input data set. Figure 4.1: Separation of two classes with SVM 35

4 4.3 Feature Selection In order to recognize attacks and to distinguish between a normal and an intrusive behavior; specific features are needed. Therefore, pre-processing algorithms have been applied to extract statistical information from the raw TCP dump output provided by the DARPA. Altogether 137 different features have been extracted from TCP/IP header information. With the help of Evolutionary Algorithm [61], these 137 features are grouped into 19 different categories by combining those features which are based on the same TCP/IP header information. Table 4.1: Feature extracted from TCP/IP header Feature Description F-1 Source Port F-2 Destination Port F-3 Connection Duration F-4 Number of Packets F-5 TTL (Time to Life) F-6 ToS (Type of Service) F-7 TCP Segment length F-8 Reserved Flag Groups F-9 URG- Flag F-10 ACK- Flag F-11 PSH Flag F-12 RST- Reset Flag F-13 SYN- Flag F-14 FIN- Flag F-15 Window length group F-16 TCP options Group F-17 Data Length Group F-18 TCP length Group F-19 Start Hour 4.4 Features Pruning For features pruning and features ranking, three performance criteria can be considered using SVM; accuracy (A) of classification, training time (TT) and testing time (TST). Each 36

5 feature can be ranked as important (I), secondary (S) and useless (U) for IDS. Above 19 features shown in Table 4.1 can be ranked according to the following rules: Rule Set: (MukkaMala) [59] 1. If A and TT and TST I 2. If A and TT and TST I 3. If A and TT and TST I 4. If A and TT and TST I 5. If A and TT and TST S 6. If A and TT and TST S 7. If A and TT and TST U 8. If A and TT and TST S 9. If A and TT and TST S 10. If A and TT and TST U MukkaMala, used these pruning rules for self identified 41 features from the DARPA data set. But in this research only 19 features are used for training and testing. From these features again we extracted the important feature {F-5, F-7, F-12, F-14}; secondary feature< F-3, F-10, F-11, F-13, F-19>; and useless features (F-1, F-2, F-4, F-6, F-8, F-9, F- 15, F-16, F-17, F-18) 4.5 Rules Set for Attack Using TCP Segment Header Association rules set of attacks identified using the important and secondary features can be described as follows. a. Denial of Service attack If (F7== P Max ^ F12 == ON ^ F14 == ON ^ F19 {9:00, 17:00}) b. Guest /Remote login If (F5==Equal TTL from previous request ^F12 == ON ^ F14 ==ON ^ F7 {0,514}) c. Probing (IP Sweep, NMap, Port Sweep) 37

6 IP Sweep If (F5 == Equal TTL from Previous Request ^ F7 == ICMP Request) NMap If (F5 == Equal TTL from Previous Request ^ F7 == ICMP Request ^ F14 == ON) Port Sweep If (F5 == Equal TTL from Previous Request ^ F12 == ON ^ F13 == ON ^ F14 == ON) d. General Rule Set If( (F7== P Max ^ F12 == ON ^ F14 == ON ^ F19 {9:00, 17:00}) (F5==Equal TTL From Previous Request ^ F12 == ON ^ F14 ==ON ^ F7 {0,514}) (F5 == Equal TTL from Previous Request ^ F7 == ICMP Request) (F5 == Equal TTL from Previous Request ^ F7 == ICMP Request ^ F14 == ON) (F5 == Equal TTL from Previous Request ^ F12 == ON ^ F13 == ON ^ F14 == ON) 4.6 Audited Data Training Data Set for Attacks Using TCP Segment Header 482 data sets are used for training and testing. Iterated and noisy data set is removed and then is arranged according to the features discussed in section 4.4. Four important features and five secondary features, i.e. total 9 features are used. rule sets from section 4.5 are applied to these data sets and perform the classification for malicious and trusted nodes. SVM LIGHT used binary classification and for this thesis; +1 stands for normal node and -1 stands for malicious node. Training file used in the simulation is added in appendix A. For training the data set following command is used in SVM: $. /svm_learn data/train. text data/model. text (4.1) 38

7 After verifying the accuracy, model file can be deployed in the process model of the appropriate layer of node model for Adhoc network. A node model for Adhoc network is shown in Figure 4.2 and the process model is given in Figure 4.3. Table 4.2: Training data set for TCP segment header based attack Input Feature Train Data Set Function Parameter (C, γ) CPU Run Time (in Sec) Mis- Classified Support Vector Linear Default Linear (0.5,0.5) Linear (1,0.5) Linear 1, Linear 2, Radial Default Radial (0.5,0.5) Radial (1,0.5) Radial 1, Radial 2, Sigmoid Default Sigmoid (0.5,0.5) Sigmoid (1,0.5) Sigmoid 1, Sigmoid 2, Figure 4.2: Node model of Adhoc network 39

8 4.6.2 Testing Data Set for Attack Using TCP Segment Header A model file generated after the training of the data set is the confidence value generated by SVM LIGHT, which is used to test the given test data set of prediction. The accuracy shows the true positive and true negative generated by detection engine. Accuracy generated above is on the basis of parameter cost (C) and gamma (γ); linear, radial and sigmoid kernel functions are used. On the basis of prediction file, prediction can be provided that indicates whether the node is an intruder or a normal node. For Testing the data set following command is used in SVM: $./svm_classify data/test. text data/model. txtdata/prediction. text (4.2) Figure 4.3: Process model of MANET (arbitrary layer only for description) Table 4.3: Test data set for TCP segment header based attack Input Test Function Correct Incorrect Accuracy Precision/Recall Features Data Set (%) Linear %/100% Linear %/34.81% Linear %/70.99% Linear %/70.99% Linear %/48.07% 40

9 9 482 Radial %/100% Radial %/100% Radial %/100% Radial %/100% Radial %/100% Sigmoid %/100% Sigmoid %/100% Sigmoid %/100% Sigmoid %/100% Sigmoid %/100% 4.7 Results and Validation In this thesis SVM LIGHT [62] is used for training and testing. Feature extracted from the TCP / IP header and binary classification is used for detecting the intruders. The accuracy of the model is given in Table 4.3 which achieves the highest in the radial function. A model file generated in Table 4.2 for radial function is the detection engine and will be deployed at an appropriate layer in the future. The accuracy of the proposed model is the highest in comparison to previous models shown in Table 4.4. But this accuracy is achieved in the given simulation environment and conditions it may vary for different scenarios. Table 4.4: Result comparison with previous models for TCP Segment Header based attacks 4.8 Conclusion S.No. Model Accuracy 1. PAYL (Wang and Stolfo et. Al [75]) 58.8% 2. POSEIDON (Damiano Bolzoni et. Al [76]) 73.2% 3. Wenke Lee et. Al [78] 80.2% 4. PbPHAD IDS Model (Shamsuddin et. Al [77]) % 5. Yuancheng Li et. Al [79] 87% 6. Tian Xinguang et. Al [80] 83.33% 7. Proposed Model 99.20% This chapter gives the idea about designing an intrusion detection engine for Transport layer. It introduces the possible attacks using a TCP segment header. Collection of data, extraction of features from raw data set and features pruning then rules are generated for the detection of intruders. The training data set is used to find the model file which is used to test with the test data set of different SVM functions (linear, radial, and sigmoid). To 41

10 stabilize the accuracy of the system, different C and gamma parameters are used. Accuracy of the system is very good and observed approximately 99% in the case of radial function. And the results are improved from the previously available conventional models. We can deploy the model file generated by this function for the detection engine in intrusion detection system for an Adhoc network environment. 42