MMDS: Multilevel Monitoring and Detection System

Transcription

1 MMDS: Multilevel Monitoring and Detection System D. Dasgupta, J. Gomez, F. Gonzalez, M. Kaniganti, K. Yallapu, R. Yarramsettii Intelligent Security Systems Research Laboratory Division of Computer Science University of Memphis Memphis, TN-3852 Contact Gomez and Gonzalez are also assistant professors at Universidad Nacional de Colombia Abstract The paper presents an agent-based approach for monitoring and detecting different kinds of attacks in wireless networks. The long-term goal of this research is to develop a self-adaptive system that will perform real-time, monitoring, analysis, detection, and generation of appropriate responses to intrusive activities. This multi-agent architecture, which supports necessary agent interactions, uses fuzzy decision support system to generate rules for different attacks by monitoring parameters at multiple levels. The system is able to operate in a wireless network, detect and act in response to events in real-time, according to its broad decision objectives and security policies. Introduction Wireless LANs are in growing use and changing the landscape of computer networking. With the increased usage of wireless LANs, network security has become a major issue [5,6]. As, Wired Equivalent Privacy (WEP) has been proved vulnerable to attacks [], it is necessary to monitor the activities of the wireless LAN. Network probes or scans attempt to discover vulnerabilities and network probes are attempts to find open doors for future attacks if the network probe returns positive results for the hacker. This work is motivated by the fact that most existing intrusion detection systems (IDSs) fail to detect many cyber attacks because they lack intelligent techniques to make correct decisions in detecting distributed attacks [2,4]. One way to build intelligent decision-making systems to use in intrusion detection relies on learning the typical user/application behavior from a set of normal (positive) data [3]. By normal, we mean usage data that have been collected while no cyber attacks have taken place. However, the notion of normalcy in computer and network usage is rarely static but dynamic in nature. This means that the modeling of behavior must be elastic, or adapt to the normal fluctuations of the usage with time. Our current work focuses on anomaly detection in ad-hoc and infrastructure wireless networks (explained in detail in later sections). The security features usually provided by wireless networks include Wired Equivalent Privacy (WEP), Medium Access Control (MAC) filtering, and disabling the Service Set IDentification (SSID) broadcast. The security capabilities of each of these features are explained below. Enabling WEP WEP was introduced in wireless networks as a security measure in order to prevent the access of network resources by using similar wireless LAN equipment and to prevent eavesdropping on the network [4]. MAC filtering MAC filtering is the process of configuring an access point with a list of MAC addresses that will be allowed (or not allowed) to gain access to the rest of the network.

2 SSID broadcast SSID is associated with the access point. It is the network name by which the access point is identified. The access point sends beacon packets at regular intervals of time so that the mobile nodes can know the existence of the access point. 2 MMDS Security Agent Architecture We developed a multi-agent system (called MMDS), which uses intelligent decision support modules for robust intrusion detection. The MMDS (Multi-level Monitoring and Detection System) provides a hierarchical security agent framework, where a security node consists of four different agents (Manager agent, Monitor Agent, Decision Agent, and Action Agent) as shown in Figure. However, the activities of these agents are coordinated through the Manager Agent during sensing, communicating, and generating responses. Each agent performs a unique function (in coordination) to address various security issues of the monitored environment. User Interaction Scenario Manager Start 2 Monitor Anomaly Detected Decision 3 4 TARGET SYSTEM Diagnosis and Recommendation GIDO s Objects Action 5 Figure : MMDS Security Agent Architecture The Decision Agent consists of a fuzzy inference engine, which can take a robust decision in case of any abnormalities/intrusions. Since the difference between the normal and abnormal activities is not distinct, but rather fuzzy, so the purpose of a Fuzzy system is to provide imprecise and heuristic knowledge. In our current implementation, the action agent reports the state of the monitored environment in IDMEF (Intrusion Detection Message Exchange Format) format. Accordingly, the action agent generates alerts, heartbeats, etc. and that represents intrusion/ anomalous state, diagnosis, and recommends actions. The purpose is to send these objects to other system management devices in order to take necessary action, which may include: killing a process, disabling the access to a user who is a potential intruder, alerting the administrator about the intrusion, etc. 2. Fuzzy Decision Engine A Fuzzy system is based on the concept of fuzzy logic. In fuzzy logic, objects can belong to a set and cannot belong to the set at the same time. Fuzzy sets define the linguistic notions in fuzzy logic, and membership functions define the truth-value of such linguistic expressions. Table shows the difference between classic sets and fuzzy sets.

3 FUZZY SETS In fuzzy sets, an object can partially be in a set. The membership degree takes values between 0 and. means entirely in the set, 0 means entirely no in the set, other values means partially in the set. CLASSIC SETS In classic sets, an object is entirely in a set or is not. The membership degree takes only two values: 0 or. means entirely in the set, 0 means entirely outside the set. Other values are not allowed. Table : Differences between Fuzzy sets and Classic sets The degree of membership, of each object in the universe of discourse to a fuzzy set, defines a function where the universe of discourse is the domain, and the interval [0,] is the range. That function is called membership function. Also, a function between the universe of discourse and the interval [0-] can be used as a membership function for some fuzzy set. Figure 2 shows the most used membership function, the triangular membership function x Universe of discourse Figure 2: Triangular membership function for a fuzzy set Usually, the universe of discourse is normalized between 0.0 and.0. A fuzzy space, collection of fuzzy sets, has to be defined for each monitored parameter and for each deviation indicator. A fuzzy space is shown in Figure Low Medium low Medium Medium High High Figure 3: Fuzzy space An atomic fuzzy expression is an expression of the form: Variable is [not] fuzzyset Where, variable is a variable that takes values in the universe of discourse, and fuzzyset is the fuzzy set name that has been defined by a fuzzy membership function. The truth-value is the variable membership degree to the fuzzy set. Therefore, truth-values are expressed by a number between 0 and, where 0 means entirely false and means entirely true, other values means partially true. For each classical logic operator (and, or, negation), there is a common fuzzy logic operator:

4 p AND q = min{p, q} p OR q = max{p, q} NOT p =.0-p Fuzzy rules [7] have the form: IF fuzzy predicate THEN consequent Where fuzzy predicate is a predicate that uses fuzzy logic operators and atomic fuzzy expressions. Rules examples: IF x is HIGH and y is LOW THEN action3 IF x is MEDIUM and y is HIGH THEN action2 To infer a conclusion using a set of fuzzy rules, the following algorithm is used:. Evaluate the antecedent of each rule over the deviation of parameters. 2. Select a rule with the biggest antecedent truth-value. 3. The action to take is the consequent of such rule. Inference example: Rules: R: IF x is HIGH and y is LOW THEN action3 R2: IF x is MEDIUM HIGH and y is MEDIUM THEN action3 R3: IF x is MEDIUM and y is MEDIUM LOW THEN action Variables values: x is 0.7 and y is 0.3 Degree of Membership: x in HIGH is 0.2, x in MEDIUM HIGH 0.7, and, x in MEDIUM is 0.3 y in LOW is 0.4, y in MEDIUM LOW is 0.8, and, y in MEDIUM is 0.4 Rules truth values: R = 0.2, R2 = 0.4, and, R3 = 0.3 Chosen Rule: R3 Conclusion: action3 As the difference between the normal and the abnormal activities are not distinct, but rather fuzzy, this module can reduce the false signal in determining intrusive activities. The purpose of this component is to use imprecise and heuristic knowledge to describe the state of the system as normal, or as a specific attack (if the attack is known) or just as an attack (if the attack is unknown). The imprecise knowledge is represented using fuzzy logic; this allows representing vague concepts as small, high, etc. The fuzzy rules are specified in a XML file. The format of this file is defined by the following DTD (Document Type Definition): <! DOCTYPE knowledge [ <! ELEMENT knowledge ( fuzzyrule )*> <! ELEMENT fuzzyrule if then> <! ELEMENT if CDATA> <! ELEMENT then CDATA> ]> This is an example rules file: <? xml version=".0? > <!-- fuzzy controller test --> <knowledge> <rule> <if>local_received_packets is not high</if> <then>record-type is normal</then> <confidence>.0</confidence>

5 </rule> <rule> <if>local_sent_bytes is medium-high or CPU_USERS is not low</if> <then>record-type is sshhack</then> <confidence>.0</confidence> </rule> <rule> <if>local_sent_bytes is high</if> <then>record-type is nmap</then> <confidence>.0</confidence> </rule> </knowledge> The <if> part in rules is a fuzzy logic expression with priority operators, i.e., the operator with bigger priority is evaluated first than others with smaller precedence. Fuzzy engine uses the priorities shown in Table 2. OPERATOR PRECEDENCE Parenthesis 4 NOT 3 AND 2 OR Table 2: Priorities used by the Fuzzy rule evolver Therefore, operator NOT is evaluated before operators AND, and OR. Spaces, sets, and variables have to be defined in the spaces and variables files that the fuzzy controller uses. Also, for each atomic expression (<var> is [not] set), the fuzzy set should belong to the fuzzy space used by the variable, or else, the system will complain, and the fuzzy controller will not run. The <then> part is a string in double quotes that contains the kind of anomaly found, the explanation text, and the suggested recommendation. These elements have to be divided by a comma and put in the string in that order. 2.2 Training Fuzzy System An expert can specify the rules for the fuzzy decision system manually. However, this can be time consuming and, in some cases, very difficult. A more interesting option is to generate the rules automatically, using an algorithm that learns them from the data. MMDS uses a genetic algorithm that evolves fuzzy rules that are able to classify correctly a set of training data. The genetic algorithm used is a parameter free version proposed in [3]. 3 Wireless Set up, Experiments and Results 3. Wireless Network The experimentation is performed on both the Ad-hoc network and the Infrastructure network. Brief description on these networks follows: Ad-hoc Network: It is a peer-to-peer wireless network. Each computer with a wireless interface can communicate directly with all of the others.

6 Infrastructure Network: Uses an access point (AP) for communication in the wireless network, Stations must associate with an access point to be connected and obtain network services. Accordingly, all mobile stations are required to be within the range of the access point and the access point being connected to the wired network. Thus, in an infrastructure network, it is possible to use both the wired and the wireless networks together. Figure 4 shows an example environment of an infrastructure network. Figure 4: Wireless Infrastructure Network Structure 3.2 Attack Generation Details Three types of attacks are performed on the wireless networks. These attacks are described in two sections below. The first section describes SSH and NMAP attack and how the fuzzy detector system is able to detect them. The second section provides details of the MAC address Spoofing in the wireless network and related results on detection SSH and NMAP Attacks One set of experiments is conducted using two wireless nodes communicating with each other in ad-hoc network. The detection system (MMDS) is loaded on a machine, which monitors the other machine. The other set of experiments uses an infrastructure network. In this case, the wireless nodes are monitored from wired nodes with the help of a base station (access point). MMDS is run on one of the wired machines. The network is conformed by a set of wired computers, access points connected to them and wireless mobile nodes. MMDS is allowed to collect data for several hours from the WLAN using MMDS. Monitoring involves the collection of various system parameters regularly as data stream. In the experimentation reported here, the parameters shown in Table 3 are monitored. Network Level LOCAL_SENT_BYTES LOCAL_RECEIVED_BYTES LOCAL_SENT_PACKETS LOCAL_RECEIVED_PACKETS REMOTE_SENT_BYTES REMOTE_RECEIVED_BYTES REMOTE_SENT_PACKETS REMOTE_RECIEVED_PACKETS Process Level PROCESSES PROCESSES_ROOT PROCESSES_USER PROCESSES_BLOCKED PROCESSES_RUNNING PROCESSES_WAITING PROCESSES_ZOMBIED

7 User Level LOGINS FAILED_LOGINS REMOTE_LOGINS CPU_USERS System Level USED_PHYSICAL_RAM USED_SWAP_RAM Table 3: Parameters Monitored by MMDS at various levels We divide the collection of data in to two phases: Collecting data in normal conditions: The monitored computer is kept under normal usage. Therefore, this data corresponds to the normal behavior of the system. The profile of the normal is given by either minimum-maximum values or by average-standard deviation of the monitored parameters. This profile is then saved to a file. Also, a sample of this data is labeled as normal for use in the training process. Collecting data under attack: The monitored computer is attacked from another computer, in order to generate a collection of data records that represent the abnormal behavior. In this experimentation, we ran the following two attacks: SSHHACK: This attack tries to guess the password of a user in the trained system. NMAP: This attack tries to scan for the open ports in the trained system. The data is labeled based on the attack performed. In summary, we create a training dataset with records for normal behavior and for the attacks SSHHACK and NMAP Preprocessing We normalize the dataset using the preprocessing tool provided in MMDS. In the normalization process, each monitored parameter is normalized between 0.6 and 0.84 according to the maximum and minimum values observed in the normal profile. For each monitored parameter, we assign the following a fuzzy space. Figure 5 shows a fuzzy space that we used. Figure 5: Fuzzy Space Fuzzy Rule Generation We used a parameter-free genetic algorithm [3] where crossover and mutation rates are not set rather evolve with the population. Each genetic algorithm run was initialized with a random chromosome population of 200 individuals, with length between one and six genes, and the maximum number of iterations was fixed at 200. In this way, the speed up of the evolutionary process appears to be significant Offline Testing Results A ten-fold testing strategy was employed [2], that is, the data set was partitioned into ten randomly chosen subsets, and each subset was used as a testing set for the fuzzy classifier trained with the remaining subsets. The score of the classifier (correctly classified samples / sample size) was calculated as the average score of the 0 tests.

8 The Receiver Operating Characteristics (ROC) Curve is used to exhibit the tradeoff between false alarm rate and detection rate during the attack period (as shown in Figure 6). It can be noted from the Roc curve that for a false alarm rate of.0 and above, the detection rate is almost 00%. Roc Curve Detection Rate (%) False Alarm Rate (%) Figure 6: ROC Curve exhibits the performance of the system Online Testing Figures 7 and 8 show the snapshots of MMDS console (GUI) during the two attacks, SSHHACK and NMAP, respectively. In Figure 7, we can see that as the SSHHACK starts, the system senses the possibility of SSHHACK but with low confidence (first line under Decision frame). As the attack progresses, the confidence level exceeds the predefined threshold (0.5) indicating that the attack is underway. Figure 7: Snapshot showing the rule for SSHHACK attack

9 Figure 8: Snapshot showing the rule for NMAP attack In Figure 8, similar results are also reported with higher confidence during the NMAP attacks MAC Address Spoofing in wireless infrastructure network Experimental Settings The experimental environment consists of a Linksys access point (model WAP). All the security features described in the introduction section (such as WEP, MAC filtering, and disabling SSID) are enabled on the access point during the experiments. Four legitimate mobile nodes are assigned to communicate with the access point. We have specified the MAC addresses of these four mobile nodes in the MAC filtering list of the access point (as shown in Figure 9). Thus the access point allows only these four clients communicate with the network if they provide the correct encryption key (i.e.; authorized). Figure 9: MAC authorization list assigned by the access point

10 Attack Conditions It is known that the security in 802. networks is weak. Studies show that it is possible to break the WEP key and it appears to be weak []. In our experiments, we have simulated MAC spoofing attack, where the attacker machine (windows XP) gets the WEP key by running Airsnort software [7]. The attacker also needs to know the MAC address of one of the legitimate node by passively sniffing the network. In our case, we used Ethereal tool for sniffing. The attack is launched against a legitimate node with the MAC address 00:02:2D:2A:AA:AD. The attacker machine uses a tool called Spoof MAC (SMAC) to change its MAC address to 00:02:2D:2A:AA:AD and gains access to the network. The wireless network environment used in the experiments and the sequence of steps used to launch MAC spoofing attack is shown in Figure 0. Attacker Machine 00:02:2D:5:7F:3C AP 00:02:2D:2A:AB:5C 00:02:2D:2A:AB:6D 00:02:2D:2A:AA:AD Running Wellenreiter and Ethereal to monitor the network Try to capture the network on each wireless node Monitor the sequence numbers obtained from the captured packets Runs Airsnort to get the key from the Wireless LAN Sniff the Wireless cloud to get the MAC address of one of the legitimate nodes using Ethereal or Wellenreiter Use SMAC tool to change its own MAC address to that of the legitimate nodes MAC address Figure 0: Experimental Environment illustrating four authorized wireless machines associated with the access point (AP) and the machine launching attack Data Processing While the attack is being launched, we are able to monitor the wireless network from one of the wireless nodes. This is performed with the help of Wellenreiter [5] and Ethereal [6] tools. The data thus captured is processed to get the traffic going to and from the victim machine. The sequence number field of the packets so captured is monitored for the experiment. The attack is launched twice to collect two different data sets, one is used as the training data to train the detection system and the other is testing data to detect how far the fuzzy classifier is able to detect such attacks. The training and testing sets are created using a window size of four consecutive values for capturing temporal behavior. The training data set contains 2800 records and the testing data set is made up of 000 records that are being used by the fuzzy rule generator.

11 Results The results show the efficiency of the fuzzy detection system in detecting the abnormalities. Figure and Figure2 show the deviation in sequence numbers in the training and testing phases respectively. From Figure3, it is clear that the fuzzy detection system is able to detect most of the abnormalities correctly during the testing phase. Training Data Sequence Number Time Figure : The sequence number of the entire Training set plotted against time Testing Data.2 Sequence Number Time Figure 2: The sequence number of the entire Testing set plotted against time

12 Deviation Level 2705 Time Figure 3: Deviation level produced by Fuzzy Classifier during testing phase indicating the abnormality in sequence number for the entire testing data set Figure4a shows the change in sequence number between 300 and 700 seconds. It can be seen that the attack occurred between 300 to 700 seconds. The fuzzy decision support system was also able to correctly detect the abnormality in the sequence number of the packets. This is depicted in Figure4b Sequence Number Time Figure 4a: Observed change in sequence number in wireless traffic during testing phase between 300 and 700 seconds

13 Deviation Level Time Figure 4b: Deviation level produced by Fuzzy Classifier during testing phase indicating the abnormality in sequence number between 300 and 700 seconds 4 Discussion The paper describes the use of an agent based multilevel monitoring system called MMDS. It appears to be a very useful tool for intrusion detection in both wired and wireless networks. We have tested MMDS with some simulated attacks in wireless network. As was shown, MMDS was able to detect these attacks as they are launched. When the attack initiates, MMDS was able to detect the abnormality and subsequently, the fuzzy decision system could classify such attack based on its training. The MMDS console (GUI components) allows viewing the changes in various parameters graphically. This gives a better understanding of the environment and the various attacks. The current implementation of MMDS only allows offline training; adding the ability of training online will be a useful extension to MMDS. The initial results are encouraging but it is necessary to test the MMDS with a broader set of attacks. Our future work includes the addition of other decision algorithms such as, classifier systems and sophisticated anomaly detection techniques [0]. Acknowledgements: This work was funded by the Defense Advanced Research Projects Agency (contract no. F ). References:. A. Stubblefield, J. Ioannidis, A. Rubin. Using the Fluhrer, Mantin, and Shamir Attack to Break WEP. ATT Labs Technical Report, TD4ZCPZZ, Revision 2, August 2, D. Dasgupta and F. Gonzalez. An Intelligent Decision Support System for Intrusion Detection and Response. In the Lecture Notes in Computer Science (publisher: Springer-Verlag) as the proceedings of International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM-ACNS), May 2-23, 200, St.Petersburg, Russia.

14 3. E. Eskin. Anomaly detection over noisy data using learned probability distributions. In Proc. 7 th International Conf. on Machine Learning, pages Morgan Kaufmann, San Francisco, CA. 4. T. Lane. Machine Learning Techniques For The Computer Security. PhD thesis, Purdue University. 5. L. Zhou and Z. J. Haas. Securing Ad Hoc Networks. IEEE Network Magazine. Vol. 3, no.6, November/December Y. Zhang and W. Lee. Intrusion detection in wireless ad hoc networks. ACM MOBICOM, J. Gomez and D. Dasgupta. Evolving Fuzzy Rules for Intrusion Detection. In the proceedings of the Information Assurance Workshop, West Point, NY, June 7-9, D. Dasgupta and G. Dunlap. An Administrative Tool for Distributed Security Task Scheduling. In the proceedings of the Third Annual International Systems Security Engineering Association Conference held on March 3-March 5, D. Dasgupta, F. Gonzalez, K. Yallapu, J. Gomez, R. Yarramsetti, G. Dunlap, M. Greaves. Cougaar based Intrusion Detection System (CIDS). CS Technical Report No. CS February D. Dasgupta and F. Gonzalez. An Immunity-Based Technique to Characterize Intrusions in Computer Networks. Published in the journal IEEE Transactions on Evolutionary Computation, Vol. 6, No. 3, June D. Dasgupta and H. Brian. Mobile Security Agents for Network Traffic Analysis. Published by the IEEE Computer Society Press in the proceedings of the second DARPA Information Survivability Conference and Exposition II (DISCEX-II) held on 3-4 June 200 in Anaheim, California. 2. T. Lim and W. Loh. A Comparison of Prediction Accuracy, Complexity, and Training Time of Thirty-Three Old and New Classification Algorithms. Technical Report, Department of Statistics, University of Wisconsin-Madison, No J. Gomez, and D. Dasgupta. Using Competitive Operators and a Local Selection Scheme in Genetic Search. Published in the proceedings of the Evolutionary Computation Conference GECCO02, Pablo Brenner, A technical tutorial on the IEEE 802. standard, (last accessed on April 25, 2003) 5. Wellenreiter. Wireless LAN Discovery and Auditing Tool, (last accessed on April 25, 2003) 6. Ethereal Network Analyzer, (last accessed on April 25, 2003) 7. Airsnort, (last accessed on April 25, 2003)