An IPv6-Orented IDS Framework and Solutons of Two Problems We LI, Zhy FANG, Peng XU and ayang SI,2 School of Computer Scence and Technology, Jln Unversty Changchun, 3002, P.R.Chna 2 Graduate Unversty of Chnese Academy of Scence Shenyang Insttute of Computng Technology, Shenyang, Chna muscalfe@lve.com, fangzy@jlu.edu.cn ABSTRACT In order to lower false postves rate and false negatves rate, a payload-adapt IDS framework n IPv6/4 envronments s proposed n ths paper. By usng the decson-tree-based classfcaton method, a rule matchng tree adapt to load characterstc s created dynamcally, whch mproves the detecton effcency. Makng use of Petr net to buld a mode to the complcated attack behavor, and then form the complcated attack rule lbrary, mprove the detecton accuracy rate. In the end, the experment proves our solutons are feasble and effectve to resolve the problems that current IDS faced. 2. FRAMEWORK OF SYSTEM Wth the development of large-scale hgh-speed nternet network attacks and the ncreasng of the ntruson detecton complexty, IDS (Intruson Detecton System) [5-0] s up aganst a new challenge. To solve the problem whch the hgh-speed envronment brngs, we proposed a payload-adapt IDS framework n IPv6/4 envronments. The whole framework s smply descrbed by fgure. Collaboratve Analyss and Control Centre Keyword: IDS, IPv6, false postves rate, false negatves rate, Payload-adapt and Petr net.. INTRODUCTION In IPv4, Intruson Detecton technology has been studed by many people. But n IPv6, the relevant research s stll smaller. More manufacturers smply transform exstng products n IPv4 nto supportng IPv6. Some new characters n IPv6 as well as the ssue of network securty have not fully taken nto account. Therefore, the ntruson detecton research on IPv6 wll be the future drecton of development. Ths paper s IDS research on the IPv6 []. To enhance the detecton speed, Qan Tang [2] and Xaofeng Ren [3] proposed ther own ntruson detecton method respectvely, but those methods have some dsadvantage. In ths paper, we propose a payload-adapt ntruson detecton method. By usng the decson-tree-based classfcaton method, a rule matchng tree adapt to load characterstc s created dynamcally, whch mproves the detecton effcency. It s carred out by the Rule Matchng Tree Generaton n the Payload-adapt Analyss, whch s a very mportant part of our system. Collaboratve analyss and control center s the hgh level of the overall framework, t use Petr nets [4] to model complex attacks to generate rules to mprove the accuracy of alert and lower false postves rate and false negatves rate. Payload-adapt Analyss Data Collector Data Source (gh-speed IPv6/4 Network) Fg.. Payload-adapt IDS Framework under IPv6/4 Envronment From fgure we can fnd, the entre framework s composed of three parts, whch ncludes Data Collecton, Payload-adapt Analyss, and Collaboratve Analyss and Control Centre. Each part s one knd of loose couplng relaton and all parts are mutually ndependent wth each other. The framework can be realzed by dstrbuted archtecture and used to solve mass data detecton problems under the large-scale hgh-speed network envronments. The man functon of the data collecton module s to collect data from the entre network and send t to the other modules. For the collector n dstrbuted archtecture, ts man task s to obtan more comprehensve and accurate crtcal nformaton.
Payload-adapt analyss module s used to analyze the raw data from data collector and gve the smple analyss of attack and send the results to other modules. Payload-adapt analyss module s made up of the module that generates the rule-matchng tree, payload-adapt rule-matchng tree structure, payload-adapt detecton module, secure communcaton module, response mechansms, data formattng and confguraton management module. The framework s smply showed by fgure 2. Collaboratve Analyss and Control Centre Secure Communcaton Data Formattng Response Mechansm Rule Matchng Tree Generaton Management Confguraton Center Payload-adapt Detecton Analyss Payload-adapt Rule-matchng Tree Fg.2. Payload-adapt Analyss Complcated Intruson Rule Lbrary Complcated Intruson Analyzer Storage Center Secure Communcaton Payload-adapt Analyss Alarm Response Control Center Management Confguraton Center Fg.3. Framework of Collaboratve Analyss and Control Centre Collaboratve analyss and control centre, showed as fgure 3, s the hgh level of the overall framework. It uses Petr nets[5] to model complex attacks and generate rules from complex attacks whch are used to detect nformaton from low-level alarm. Because we use the technology such as alarm correlaton, nformaton fuson to enhance credblty of alert, t may mprove the accuracy of alert and has lower false postves rate and lower false negatves rate to resolve the problem that current IDS faced. 3. PAYLOAD-ADAPT INTRUSION DETECTION METOD AND TE RELATED MODULES Important s Related to the Method Rule Matchng Tree Generaton : Accordng to the sample traffcs and rule sets of real acquston, on the bass of protocol analyss, ths module generates a rule matchng tree by the mproved decson tree method. For each event or the package whch need to be detected, make the number of rule sets detected to be fewest, and acheve the goal of mprovng the detecton speed as soon as possble. Payload-adapt Rule-matchng Tree: Ths s a data structure for savng the new rules set. It s generated by Rule Matchng Tree Generaton and also s the analyss base of the Payload-adapt Detecton Analyss. Payload-adapt Detecton Analyss : The module s the core of Payload-adapt Analyss, whch s responsble for the analyss of the data collected from data acquston module. Accordng to the rule matchng trees adapt to load characterstc generated by rule matchng trees, t determne the rule for sets each event or the package whch can be detected, and then match rapdly to each event or the package. By usng the msuse detecton technology to detect data packets quckly, fnd the attack packets of known attack types. Send the detected attack nformaton to the response mechansm module, after the data formatted treatment, and then send to the collaboratve analyss and control center for the further processng. Thus t reduces the mstake and falure rate as soon as possble, and mproves the accuracy of detecton. Payload-adapt Intruson Detecton Method By analyzng current detecton method, we can draw the concluson that network envronment change and rule classfcaton asymmetry would serously affect the IDS detecton speed, even we adopt the current popular protocol analyss technology. For hgher performance, we argue IDS should adapt the traffc characterstcs and rule characterstcs. Lke the protocol analyss method, we pre-treat the data receved through the value of protocol felds. On the bass
of whether the values of protocol felds match to the packets or not, the sets of the applcable rules are determned. The dfference s that our approach s to use the characterstcs of traffcs and rules to classfy rules. Because of the lmt of the memory, we can t choose all protocol characterstcs, and can t mantan all values for every protocol feld. Therefore, we buld a mathematcal model to solve ths problem. Defnton : Rk refers to a specfc rule n rules set R. r r2 r That s R ( n k = F = V F2 = V2 L Fn = Vn ), n whch n refers to the number of feld wth avalable rules; F refers to the th feld of the rule, j [ K n] ; V refers to the j th value of the th feld of the rule; K refers to the rules number of the rules set, k K. Defnton 2: P s the set of the subset of the rules set. That s P = { P, P2, L P }, n whch P s a subset of the rules set R, and P = P = n whch [ K ]. ere we say P s a category of the rules set. Defnton 3: Num( P ) refers to the number of the packets who satsfy the th rules subset P n the example traffc S, n whch S s a set of some data packets, and refers to a sample of the actual network traffc. Defnton 4: Bk s the tme used to detect that whether the specfc data packets satsfy the rule Rk n the rules set. Defnton 5: T ( P ) refers to the tme used to detect all data packets satsfed by the th rules subset P of the category P n the rules set R n traffc S. Formula : T ( P) = Num( P ) B, n k k K Rk P whch Num( P ) reflects the affecton of the load to detectng effcency and Bk reflects the k K Rk P affecton of the rules to the detectng effcency. Defnton 6: M ( P ) refers to the memory used to save the rules of the th rules subset P of the category P. So for an actual traffc S we may present the relatonshp of categores, detecton effcency and the memory by usng the formula as follows. Suppose that refers to the number of categores of all rules and th category of the rules, [ K ]. P refers to the Formula 2: SupposeT refers to the tme used to detect the example traffc S n the condton of category P. Then T = T( P). = Formula 3: M refers to the memory used to save all detecton rules set R n the condton of category P. Then M = M ( P). = Theoretcally, f the memory s unlmted, the best project s that makngt mnmum. But actually t s mpossble. * We have to fnd out the category P satsfed T s mnmum by comparng the category set P composed by dfferent rule felds. That s the project we need. Formula 2 and 3 gve us a judgment method of comparng the advantages and the dsadvantages of dfferent projects. Inducton of the traffc gves us a new llumnaton. The problem proposed before can be solved theoretcally. The followng s the generaton algorthms of payload-adapt rule matchng tree: we proposed. We suppose as follows: the memory savng the data s fxed; the tme s fxed, whch s used to detect whether a data packet matches the rule R n the rules set; N refers to the number of the rules n rules set R, and R NT refers to the number of the data packets n example traffc S, and then we defnte that E p refers to the present of the rule number detected by each packet averagely n the whole rules number after takng P category, that s E = N /( N + N ). p p R T Generate_Rule_tree produces a rule tree through the assgned rule sets and traffc sets. Input: rule sets, rules; traffc sets, traffcs; respectvely presented by the correspondng dscrete attrbute values; the attrbute lst composed of the canddate rule feld, attrbute lst. Output: a rule tree. Algorthms as follows: Buld node N; IF attrbute_lst s empty TEN Back to N as the leaf node; Mark rules for the general category; // recursve end Calculate the Gan(P) of each attrbute n attrbute_lst; IF the attrbute whch s meet to the condton exsts test_attrbute TEN Mark node N for test_attrbute; ELSE k
Back to N as the leaf node, mark rules for the general category; // recursve end FOR the value v n each test_attrbute //demarcate rules Buld a branch node for the test_attrbute = v as a condton over the node N; Rnum = the meet condton rule number, and conduct the rules; Tnum = the meet condton packet number, and conduct the traffcs; IF Tnum == 0 TEN Back to node N as the leaf node, nto the next cycle; Assume R to be the rule sets of test_attrbute = v n rules; // a dvson Assume D to be the traffc sets of test_attrbute = v n datas; // traffc dvson Generate_Rule_tree (R, D, attrbute_lsttest_ attrbute); Next; Cancel the mark of node N; 4. USING PETRI NET TO LOWER FALSE POSITIVES RATE AND FALSE NEGATIVES RATE FURTER Accordng to the ntermedate detecton results from each sub detecton center reports, the complex ntruson analyzer based on Petr nets takes full use of the complex attack model represented by Petr nets model to carry on alarm nformaton fuson, comprehensve analyss and reduce the mstake and falure further. Fgure 4 descrbes the detecton process. Suspcous Behavor Lbrary Complex Intruson Rule Lbrary Pattern Matchng Devce Suspcous Behavor Judgment Devce Bottom Suspcous Informaton Alarm Response Fg.4. Analyss process of Complex Intruson Analyzer based on Petr net In fgure 4, the suspcous behavor lbrary s a tree structure. The root node ponts to the rules whch come from the complex ntruson rule lbrary watng for analyzng (added dynamcally by the pattern matchng devce based on Petr nets). It presents the referrng rules tracked by suspcous behavors. The lower nodes record the nstances satsfyng ths rule. They represent the beng tracked and specfc suspcous behavors currently, contanng multple sub nodes of suspcous behavors. Those who are suspcous behavors needed to be further proved, have done the partal correct match to the Petr nets rules corresponded by each attack behavor. The suspcous behavor judgment devce carres on the further match to every rule nstance whch s n process n the suspcous behavor lbrary by usng the bottom suspcous nformaton as the nput. If the match s satsfed, t refers to the relablty of attack behavors s ncreasng. If t's judged to be the ntruson, alarm to the manager through the alarm response module. Otherwse, send to the s to carry on processng. Accordng to the suspcous nformaton needed to be judged whch s sent by the suspcous behavor judgment devce, the pattern matchng devce based on Petr net extracts satsfed rules from the complex ntruson rule lbrary based on Petr nets to carry on the comparson wth the rules (2nd level nodes) of suspcous behavor lbrary. If they are matched, create the specfc nstance to the correspondng node. Otherwse create the rules and ts frst new nstance under the nodes for the later matchng operaton. 5. EXPERIMENTAL RESULTS AND ANALYSIS To prove our solutons are feasble and effectve, we developed two components on the bass of Snort to realze the payload-adapt ntruson detecton method. The frst component s the rule matchng tree generaton module carred on by usng decson tree classfcaton method, whch generates the payload-adapt rule matchng tree accordng to the actual network traffc S and the avalable rules sets R. The second component locates the avalable examnaton rule sets of each event or packet to take the rapd rule match to them by usng payload-adapt rule matchng tree and the search process of the decson tree. We collect datum of the three perods and respectvely use Snort [] and our mproved Snort (PASnort for short) to carry on experments. The data obtaned from experments are recorded n fgure 5. In fgure 5, the long strps refer to the detecton effcency P, whch presents wth the amount of dsposng packets per second. The start workng tme of detectng s represented wth Tstart. The end tme of detectng s represented wth Tend. Num refers to the tmes of the detecton module beng called, that s the amount of packets. Then, P = Num / (Tend-Start).
Data Data2 Data3 0 20000 40000 60000 80000 PASnort Snort Fg.5. Detecton Effcency The experment ndcates (Fgure 5): When the features of smple packets are smlar to the characterstcs of traffcs detected, the detecton rate of our approach ncreased by nearly 20% compared to the orgnal method. When the features of smple packets and the characterstcs of traffcs detected have few dfferences, the detecton rate also ncreased but only a lttle. owever, t sn t lower than the detecton rate of Snort, whch fully proves our soluton s effectve. Meanwhle, we appled our framework to the Web-Based Teachng System developed by ourselves. For at the hgh level we use Petr net to establsh rule lbrary, we can reduce the false postves rate and the false negatves rate of the alarm nformaton at lower level, ncrease the relablty of detecton at hgh level and the ntruson detecton accurate by detectng complcated attacks and correlated attacks through the nformaton ntegraton and alarm correlaton technology. On the other hand, ths can also reduce the burden of network admnstrators. 6. CONCLUSIONS In ths paper, a payload-adapt IDS framework n IPv6/4 envronments s establshed. By usng Payload-adapt Intruson Detecton Method proposed n the paper, the Payload-adapt Analyss of the framework s realzed. It can be utlzed to solve the hgh packet-loss problem. In addton, the Collaboratve analyss and control center uses Petr nets to model complex attacks to generate rules to mprove the accuracy of alert. The experment proves that our solutons are feasble and effectve to resolve the problems of hgh false postves rate and hgh false negatves rate that current IDS faced. [3] Ren Xaofeng, Dong Zhanqu, Research and Implementaton on Increasng Speed of Rule-matchng n Snort, Computer Applcatons, 2003, 23(4): 59-6. [4] Wolfgang Resg, Petr nets, Berln; Sprnger-Verlag, 985. [5] D.E.Dennng, An ntruson-detecton model, IEEE Transactons on Software Engneerng, Vol. 3, No. 2, 987, pp. 222-232. [6] J.Frank, Artfcal Intellgence and Intruson Detecton: Current and Future Drectons, Proceedng of the 7th Natonal Computer Securty Conference, 994. [7] Rchard P. Lppmann, Davd J. Fred, Isaac Graf, Joshua W. anes, Krstopher R. Kendall, Davd McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunnngham, and Marc A. Zssman, Evaluatng Intruson Detecton Systems: the 998 DARPAOff-Lne Intruson Detecton Evaluaton, Proceedngs of the 2000 DARPA Informaton Survvablty Conference and Exposton(DISCEX), Vol.. [8] J.P.Anderson, Computer Securty Threat Montorng and Survellance, Techncal report, James P Anderson Co. Fort Washngton, Pennsylvana, 980. [9] eberlen, L. et al., A Network Securty Montor, Proceedngs of the IEEE Computer Socety Symposum, Research n Securty and Prvacy, 990, pp. 296-303. [0] Roy A.Maxon, Kyme M.C.Tan, Benchmarkng Anomaly-Based Detecton Systems, Internatonal Conference on Dependable Systems and Networks (DSN 2000), 2000. [] Q Jandong, Tao Lan, Sun Zongcan, Dssectng Snort, tool for ntruson detecton, Computer Engneerng and Desgn, 2004., pp. 36-39. 7. REFERENCES [] Marcus Goncalves, Ktty Nles, IPv6 networks, New York: McGraw-ll, 998. [2] Tang Qan, Zhang Dafang, uang Kun, Usng Gan-rato Based Decson Trees to Improve Intruson Detecton, Computer Engneerng, 2006, 32(7): 46-48.