Method for security monitoring and special filtering traffic mode in info communication systems

Transcription

1 Method for security monitoring and special filtering traffic mode in info communication systems Sherzod Rajaboyevich Gulomov Provide Information Security department Tashkent University of Information Technologies Tashkent, Uzbekistan Nasrullayev Nurbek Bakhtiyorovich Provide Information Security department Tashkent University of Information Technologies Tashkent, Uzbekistan Abstract- This article is presented a method assessment of security intrusion detection system, allows operatively regulate the threshold formation an alarm and provides a quantitative and qualitative assessment of security of the network. Mathematical model of a special filtering traffic mode, allow to neutralize and prevent possible threats and attacks on computer networks is designed. Keywords intrusion detection systems, fuzzy logic, deterministic finite automaton, filtering traffic. I. INTRODUCTION Most intrusion detection system (IDS) ways relies on a system of analysis and audit of network data. Network traffic can be recorded using the utilities «packet capture», and operating system activity can be recorded on the system call level. basic premise is that, when the audit mechanisms included various evidences lawful activities and intrusions will occur in the data audit. refore, instead of the static analysis of source code software system, intrusion detection is used in more practical way analysis of audit records during the execution of the activities and networking systems and users. I. METHOD FOR SECURITY ASSESSMENT OF INTRUSION DETECTION SYSTEM BASED ON FUZZY LOGIC Collectors perform data collection function generators messages. Monitoring and management of information security events MMISE includes two control module (manager). first - the manager of risk management - is designed to generate alarms based on the prioritization of risks in real time. Second - records management manager - should keep medium and long term with a view to recording and reporting of individual requests [1]. Proposed below the method evaluation of secure IDS is part of a first module is designed as security in real time. se modules and their databases, as well as the security control center console is located in one of the Local area network (LAN) IDS, where and implemented centralized monitoring of the entire IDS. In accordance with the approach to the analysis of correlations, based on risk analysis, it is necessary to consider three components, based on the assessment which the formation of the alarm and/or a reduced level of protection. se components are: type of attacks; criticality of the assets LAN; the trust level to tells the device. In this case, under the attack level is a linguistic assessment of the extent provided in terms of fuzzy logic "low - medium - high" severity of attack. It is expected that such an assessment is given of the IDS, which is an integral part of the protection of the IDS. Criticality LAN assets is a result of the evaluation of the resources that are processed in each LAN, through the classification of resources and assign them to the different levels of importance. level of trust tells the user is determined in order to increase the reliability of detection of attacks. latter can evaluate the totality of messages associated with a particular event of the information security and make the right management decisions, for example, to send to the firewall command, which will block the attack the attacker. Any incorrect identification of incident information security will lead to undesirable consequences for the LAN: in one case, the LAN will be recognized as unreliable and in another - as unreliable. Reputation used devices to reduce these errors. If the specified IP-address was previously seen during the attack in data communication system (DCS), it is most likely owned by either the attacker or infected with malicious software, and as a result, his reputation is bad. If the IP-address of wrongdoing was not seen, it does not affect its reputation. Firewall, through which various organizations LAN connected to the IDS and switches are the main sources that provide information about network activity in the IDS that is reported on LAN devices. refore, each LAN has its own firewall and switch [2]. peculiarity of this segment of the network is that each LAN has its own means of information protection. Based on this, it is possible to judge the various levels of /16/$ IEEE

2 protection information in each LAN. In this connection, it is proposed to use an additional parameter for event correlation based on the risksthe level of protection of the LAN. need for this parameter is to reduce the number of alarms. In other words, if you know that the LAN has a high level of protection, it should not be given attention to incident information security in real time. Described above options of information security are presented in terms of fuzzy logic, they characterize each individual LAN to form a tuple sets: Settings information security of: where LAN = (1) the level of attacks; critical LAN assets; the level of protection for the LAN; the trust level to tells the device. It is possible to create a matrix of fuzzy rules, which to a certain set of parameters will be presented to the final value, indicating the importance of information security incident LAN, as shown in table 1. level of attac ks TABLE I. THE MATRIX OF FUZZY RULES Critical LAN assets level of protecti on for the LAN trust level to tells the device importan ce of incident informati on security LAN 1. Н Н В В Н 2. Н Н В С Н 3. Н Н С В Н 4. Н В В С С 5. Н В С В С 6. С Н В В Н 7. С Н В С С n. В В Н Н В However, this table is very large and, if necessary, make changes to the totals need to rewrite the table 1, which is a lengthy procedure. II. EVALUATION OF THE IMPORTANCE OF INCIDENT INFORMATION SECURITY IN E-GOVERNMENT To better address this problem, including the rapid changes in the level of the importance of incident information security LAN, you can use the formula (1), which takes into account all the parameters described above [3]. importance of incident information security a single LAN is defined as:, (2) where normalizing factor that allows to present the result in the range [0; 1]. To apply the formula (1) is necessary to make transformation of fuzzy variables, after which each corresponds fuzzy variable positive integer in the range [1; 5]. Conversion is shown in table 2-5. TABLE II. TRANSFORMATION FUZZY VARIABLE "THE LEVEL OF ATTACKS" IN THE NUMERICAL VALUES numerical value Very low 1 Low 2 High 4 Very high 5 Low levels of protection and low reputation will match the number increases, and vice versa [4]. most critical incident information security can have a maximum numeric value of 1 and the most insignificant TABLE III. TRANSFORMATION FUZZY VARIABLE "THE LEVEL OF PROTECTION FOR THE LAN" IN THE NUMERICAL VALUES numerical value Very low 5 Low 4 High 2 Very high 1 TABLE IV. TRANSFORMATION FUZZY VARIABLE "CRITICAL LAN ASSETS" IN THE NUMERICAL VALUES numerical value Very low 1 Low 2 High 4 Very high 5 TABLE V. TRANSFORMATION FUZZY VARIABLE "THE TRUST LEVEL TO TELLS THE DEVICE" IN THE NUMERICAL VALUES numerical value Very low 5 Low 4 High 2 Very high 1 Thus, knowing the numerical values of the four parameters of the information security LAN, it is possible to get a numerical assessment of the importance of incident information security LAN, representing in the range from 0 to 1. III. EVALUATION THE LEVEL SECURITY OF THE IDS Knowing the importance of incidents information security for each LAN, it is possible to get a numerical (quantitative) assessment of the level security of the IDS as a whole according to the formula: where ( ) (3) number of LAN in the IDS; the importance of incident information security of th LAN. Substituting value of formula (2), it is obtained the final formula, allow obtain a quantitative evaluation of the security DCS:

3 where ( ) (4) number of LAN in the IDS; the normalization factor, allowing to present the result in the range [0;1]; level of attacks on the th LAN, equal to th numerical value; critical assets in the th LAN, which is equal to the th integer numeric value; protection level th LAN, equal to th numerical value; the trust level to tells the device of LAN, equal to th integer numeric value. Based on the values quantitative evaluation security of the IDS can be obtained values of qualitative evaluation security of the IDS in the Fig.1. above method can be represented by the scheme illustrated in Fig.2. Providing output values information security parameters in terms of fuzzy logic Setting the threshold level for the security of Р DCS Conversion of fuzzy variables into numeric value l m Calculating the correction factor k m calculation of the level security of the DCS Р DCS n K m At ij As ij P LANij T ij Comparison of results Р DCS with the threshold value Р DCS 1. Formation of the alarm on console management. 2. An indication of the degree of signal importance Fig.2. scheme obtaining of the level evaluation security of the IDS Fig.1. dependence of the values of the qualitative evaluation security of the DCS from values quantitative evaluation security of the DCS To generate an alarm is predetermined threshold value of the IDS, the achievement of which will result in the formation of the signal. As an example, consider the following scenario. IDS has 4 LAN. IDS detects the attack on the two firewall, connected to different LAN. For one firewall: the attack has a level of "high - 4"; critical LAN assets "average - 3"; the level of protection - "low - 4"; the trust level to tells the device "very high - 1". For two firewall: attack has a level of "medium - 3"; "low - 2" critical asset; the level of protection "high - 2"; the trust level of firewall "high - 2". Threshold of DCS equal to 0.8. On other network devices detected attacks was not, therefore, the importance of incident information security to them is 0. MMISE correlates events information security from the formula (4) and obtains a quantitative evaluation security of the IDS. IV. MODELS THREAT ASSESSMENT IN A SPECIAL TRAFFIC FILTERING MODE proposed model of network protection device operation should not affect the structure of the network processes. Identify the process of passing through the firewall is possible under reasonable traffic characteristics unrelated to the filtration process. In other words, the measurement will be accessible to the characteristics of the aircraft which are not prohibited filtering rules or monitoring mechanism of streaming sessions firewall. Firewall in a special traffic filtering mode allows realize packet filtering protocols more to higher levels (ARP, RARP, IP, IPX and state table application protocols). scheme of operation firewall in a special traffic filtering mode is illustrated in fig.3. Let the packet flows are input firewall, distributed exponentially. From this it may say that if the input stream in a real system is different from the simple, then the firewall will be functioning characteristics [5]. Firewall in a special traffic filtering mode includes a reception path which processes the incoming packet stream to them. Packets come with intensity, where the buffer is written to the special regime of traffic filtering. Contact stream of packets in each transmission path is equally probable. As packets arrive at a special traffic filtering mode are regardless. And so, below is presented the final formula for the desired characteristics.

4 Physical level Filtering is not available Data link level Network level Transport level Control switches Static and dynamic packet filtering State inspection Proxy of session level Session level Presentation level Filtering is not available Application level Proxy server Special traffic filtering mode Table of filtering MAC ARP IP IPX Applied protocols Fig.3. scheme of operation firewall in a special traffic filtering mode Table of session average length of the queue of packets can be designed for the system M/M/1: (5) Probability of loss packets is Р No connection A 0 Initiates a connection A 1 At the entrance is not a stream of packets queuing system is processed packet Transition scheme For special filtering mode traffic it does not matter which side initiated the connection. Transition scheme between states of the TCPconnection to the special traffic filtering mode is shown in fig.4. Thus, there is a graph transition between state special traffic filtering mode. To detect threats in a special traffic filtering mode offered the model based on finite automata. Let it be, input alphabet, and alphabet outputs, the final A machine called an ordered five sets of, where set of initial states. In this case we consider an initial deterministic finite automaton, which, having a fixed structure and the following function outputs. letter of the alphabet input is a set of all actions of the test suite required for the implementation of a model. connection is established A 2 connection is established A 3 queuing system is processed packet 1, while in standby buffer is packet 1 Queuing system is processed in the packet, in the line is found L packets connection is terminated A 5 Established A 4 Connection closed A 7 Fig.4. Transitions scheme between TCP-connection for a special traffic filtering mode Reset the connecti on A 6

5 letter of the alphabet of enters is a set of reactions of a special traffic filtering mode, determining its action on the test packet. letter of the alphabet of states will represent model rules, forming the response of the system to the test. Alphabetical operator is defined by the rules of the system applying the algorithm. Thus, a special traffic filtering mode is reduced to the operation of the linear digital machine (LDM). Operation LDM is described using alignment system: (6) (7) where input vector, output vector, is the vector of the state machine (see Fig.5). u t Fig.5. operation of the LDM Here LDM matrix: s t y t (8) If four of the matrix were given, dimensions of which are defined in formula (8), then there is always the LDM matrix with inputs, outputs and delays and characteristic LDM matrix will coincide with the set (see Fig.6). as well as the equation (9), the output action of the special traffic filtering is a matrix. At the same time, in this matrix are interested in the main diagonal [6]. Namely it carries the output response of special traffic filtering mode to input action. If considering the fact that the vector and are binary, the matrix is also binary. presence of the unit at position in that matrix indicates that special traffic filtering mode cannot to counter the threat of code. For example, suppose the input mode with a special traffic filtering mode is served vector (8x1): which is situated information about seven different types of threats. At the same time the input mode with a special traffic filtering mode is served threat with code 4,5,7 and 8. matrix, should have the dimension (1x8), the content of this vector defines arbitrarily: In this case is determined special traffic filtering as device that does not counter to threat with codes 5,6 and 8. From formula (10) will get the output action: l LDM m n Fig.6. characteristic of LDM matrix In LDM input modeling with a special traffic filtering mode is served threats vector and its length determines the number of inputs LDM parameter. Each threat is assigned a unique code from to. As the input vector is convenient to use a binary column vector [8,10]. Unit in the vector is set in the position, if the input with a special traffic filtering mode is served threat code to. Assume that a special traffic filtering mode devices without delay, that is. n, equations (6) and (7) is converted into a single equation: (9) From equation (9) it is clear that the functioning of LDM, determined according to the equation completely characterizes the matrix and that it should be laid down about the special traffic filtering settings (threats, which counteracts the firewall). Considering the dimension of the vector, matrix is a row vector length l. Furthermore, the vector is a binary string. Zero in this vector exhibited at position, if special traffic filtering mechanism to counter the threat of traffic is defined with the code. Given the dimension of the vectors and, As can be seen, on the main diagonal of the matrix the unit is situated only at the position [5,5] and [8,8], which indicates the inability of the special traffic filtering, given the matrix (5,8) and counter to threat with the code 5 and Conclusions Proposed method for evaluating security of the IDS allows trippingly adjust threshold of the shaping warning signal. At the same time the management console is referred to as a quantitative and qualitative evaluating security of the IDS. Designed a mathematical model of a special filtering traffic mode for protection of network resources, allows for neutralizing and preventing possible threats, attacks and action of external destructive influences in computer networks. References: [1] Barbara D., et al. Detecting Novel Network Intrusions Using Bayes Estimators. /In: Proceedings of the First SIAM Conference on Data Mining, Chicago, April [2] Lazarevic A., et al. A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. /In: Proceedings of the Third SIAM International Conference on Data Mining. - San Francisco. May, [3] Hanaa M. S., et al. Neural networks approach for monitoring and securing the E-Government informational systems // European Journal of Computer Science and Information Technology. - December, Vol.2, 4. - P

6 [4] Lazarevic A., et al. A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. /In: Proceedings of the Third SIAM International Conference on Data Mining. - San Francisco. May, [5] Sherzod Gulomov, Abduaziz Abdurakhmanov and Nurbek Nasrullaev. «Design Method and Monitoring Special Traffic Filtering under Developing «Electronic Government» International Journal of Emerging Technology & Advanced Engineering (ISSN , ISO 9001:2008 Certified Journal), Volume 5, Issue 1, January 2015, India. [6] Karimov M.M., Gulomov Sh.R., Yusupov B.K. «Approach development accelerate of process special traffic filtering». Journal of Computer and Communications, Vol.3 No.9, September 2015, PP , USA.