An IPv6-Oriented IDS Framework and Solutions of Two Problems

Similar documents
Cluster Analysis of Electrical Behavior

Parallelism for Nested Loops with Non-uniform and Flow Dependences

An Optimal Algorithm for Prufer Codes *

Virtual Machine Migration based on Trust Measurement of Computer Node

Improvement of Spatial Resolution Using BlockMatching Based Motion Estimation and Frame. Integration

Load-Balanced Anycast Routing

BioTechnology. An Indian Journal FULL PAPER. Trade Science Inc.

Content Based Image Retrieval Using 2-D Discrete Wavelet with Texture Feature with Different Classifiers

Learning the Kernel Parameters in Kernel Minimum Distance Classifier

Analysis on the Workspace of Six-degrees-of-freedom Industrial Robot Based on AutoCAD

Complex Numbers. Now we also saw that if a and b were both positive then ab = a b. For a second let s forget that restriction and do the following.

Related-Mode Attacks on CTR Encryption Mode

Term Weighting Classification System Using the Chi-square Statistic for the Classification Subtask at NTCIR-6 Patent Retrieval Task

The Research of Support Vector Machine in Agricultural Data Classification

A New Transaction Processing Model Based on Optimistic Concurrency Control

Available online at Available online at Advanced in Control Engineering and Information Science

Querying by sketch geographical databases. Yu Han 1, a *

Helsinki University Of Technology, Systems Analysis Laboratory Mat Independent research projects in applied mathematics (3 cr)

Module Management Tool in Software Development Organizations

BIN XIA et al: AN IMPROVED K-MEANS ALGORITHM BASED ON CLOUD PLATFORM FOR DATA MINING

A mathematical programming approach to the analysis, design and scheduling of offshore oilfields

Software Trustworthiness Static Measurement Model and the Tool

The Greedy Method. Outline and Reading. Change Money Problem. Greedy Algorithms. Applications of the Greedy Strategy. The Greedy Method Technique

Research of Dynamic Access to Cloud Database Based on Improved Pheromone Algorithm

Study of Data Stream Clustering Based on Bio-inspired Model

Cracking of the Merkle Hellman Cryptosystem Using Genetic Algorithm

A Fast Visual Tracking Algorithm Based on Circle Pixels Matching

DAQ-Middleware: Data Acquisition Middleware based on Internet of Things

Evaluation of an Enhanced Scheme for High-level Nested Network Mobility

User Authentication Based On Behavioral Mouse Dynamics Biometrics

A Distributed Dynamic Bandwidth Allocation Algorithm in EPON

A New Approach For the Ranking of Fuzzy Sets With Different Heights

Network Intrusion Detection Based on PSO-SVM

ON SOME ENTERTAINING APPLICATIONS OF THE CONCEPT OF SET IN COMPUTER SCIENCE COURSE

A KIND OF ROUTING MODEL IN PEER-TO-PEER NETWORK BASED ON SUCCESSFUL ACCESSING RATE

On Some Entertaining Applications of the Concept of Set in Computer Science Course

A Resources Virtualization Approach Supporting Uniform Access to Heterogeneous Grid Resources 1

TECHNIQUE OF FORMATION HOMOGENEOUS SAMPLE SAME OBJECTS. Muradaliyev A.Z.

Association Rule Mining with Parallel Frequent Pattern Growth Algorithm on Hadoop

An Entropy-Based Approach to Integrated Information Needs Assessment

Application of VCG in Replica Placement Strategy of Cloud Storage

Solving two-person zero-sum game by Matlab

Learning-Based Top-N Selection Query Evaluation over Relational Databases

MODULE DESIGN BASED ON INTERFACE INTEGRATION TO MAXIMIZE PRODUCT VARIETY AND MINIMIZE FAMILY COST

Simulation Based Analysis of FAST TCP using OMNET++

Video Proxy System for a Large-scale VOD System (DINA)

Detecting Compounded Anomalous SNMP Situations Using Cooperative Unsupervised Pattern Recognition

Scheduling Remote Access to Scientific Instruments in Cyberinfrastructure for Education and Research

A Fast Content-Based Multimedia Retrieval Technique Using Compressed Data

Classifier Selection Based on Data Complexity Measures *

FAHP and Modified GRA Based Network Selection in Heterogeneous Wireless Networks

Remote Sensing Image Retrieval Algorithm based on MapReduce and Characteristic Information

6.854 Advanced Algorithms Petar Maymounkov Problem Set 11 (November 23, 2005) With: Benjamin Rossman, Oren Weimann, and Pouya Kheradpour

S1 Note. Basis functions.

Positive Semi-definite Programming Localization in Wireless Sensor Networks

An Improved Image Segmentation Algorithm Based on the Otsu Method

THE PATH PLANNING ALGORITHM AND SIMULATION FOR MOBILE ROBOT

A XML-Based Composition Event Approach as an Integration and Cooperation Middleware

MULTISPECTRAL IMAGES CLASSIFICATION BASED ON KLT AND ATR AUTOMATIC TARGET RECOGNITION

USING GRAPHING SKILLS

Real-time Network Attack Intention Recognition Algorithm

An Application of the Dulmage-Mendelsohn Decomposition to Sparse Null Space Bases of Full Row Rank Matrices

Using Fuzzy Logic to Enhance the Large Size Remote Sensing Images

An Image Compression Algorithm based on Wavelet Transform and LZW

Audio Content Classification Method Research Based on Two-step Strategy

Problem Definitions and Evaluation Criteria for Computational Expensive Optimization

A Binarization Algorithm specialized on Document Images and Photos

Application of Clustering Algorithm in Big Data Sample Set Optimization

Performance Assessment and Fault Diagnosis for Hydraulic Pump Based on WPT and SOM

Determining the Optimal Bandwidth Based on Multi-criterion Fusion

Constructing Minimum Connected Dominating Set: Algorithmic approach

Professional competences training path for an e-commerce major, based on the ISM method

An Image Fusion Approach Based on Segmentation Region

Subspace clustering. Clustering. Fundamental to all clustering techniques is the choice of distance measure between data points;

Load Balancing for Hex-Cell Interconnection Network

The Comparison of Calibration Method of Binocular Stereo Vision System Ke Zhang a *, Zhao Gao b

Skew Angle Estimation and Correction of Hand Written, Textual and Large areas of Non-Textual Document Images: A Novel Approach

An Indian Journal FULL PAPER ABSTRACT KEYWORDS. Trade Science Inc.

A NEW APPROACH FOR SUBWAY TUNNEL DEFORMATION MONITORING: HIGH-RESOLUTION TERRESTRIAL LASER SCANNING

The Shortest Path of Touring Lines given in the Plane

Modular PCA Face Recognition Based on Weighted Average

Reliability and Performance Models for Grid Computing

Mathematics 256 a course in differential equations for engineering students

UB at GeoCLEF Department of Geography Abstract

Reducing Frame Rate for Object Tracking

Private Information Retrieval (PIR)

Virtual Memory. Background. No. 10. Virtual Memory: concept. Logical Memory Space (review) Demand Paging(1) Virtual Memory

Distributed Middlebox Placement Based on Potential Game

Wireless Sensor Network Localization Research

Local Quaternary Patterns and Feature Local Quaternary Patterns

A Model Based on Multi-agent for Dynamic Bandwidth Allocation in Networks Guang LU, Jian-Wen QI

A Novel Adaptive Descriptor Algorithm for Ternary Pattern Textures

Application of Improved Fish Swarm Algorithm in Cloud Computing Resource Scheduling

Resource and Virtual Function Status Monitoring in Network Function Virtualization Environment

Parallel Artificial Bee Colony Algorithm for the Traveling Salesman Problem

Fast Feature Value Searching for Face Detection

GSLM Operations Research II Fall 13/14

A Low-Overhead Routing Protocol for Ad Hoc Networks with selfish nodes

NUMERICAL SOLVING OPTIMAL CONTROL PROBLEMS BY THE METHOD OF VARIATIONS

Behavioral Model Extraction of Search Engines Used in an Intelligent Meta Search Engine

Transcription:

An IPv6-Orented IDS Framework and Solutons of Two Problems We LI, Zhy FANG, Peng XU and ayang SI,2 School of Computer Scence and Technology, Jln Unversty Changchun, 3002, P.R.Chna 2 Graduate Unversty of Chnese Academy of Scence Shenyang Insttute of Computng Technology, Shenyang, Chna muscalfe@lve.com, fangzy@jlu.edu.cn ABSTRACT In order to lower false postves rate and false negatves rate, a payload-adapt IDS framework n IPv6/4 envronments s proposed n ths paper. By usng the decson-tree-based classfcaton method, a rule matchng tree adapt to load characterstc s created dynamcally, whch mproves the detecton effcency. Makng use of Petr net to buld a mode to the complcated attack behavor, and then form the complcated attack rule lbrary, mprove the detecton accuracy rate. In the end, the experment proves our solutons are feasble and effectve to resolve the problems that current IDS faced. 2. FRAMEWORK OF SYSTEM Wth the development of large-scale hgh-speed nternet network attacks and the ncreasng of the ntruson detecton complexty, IDS (Intruson Detecton System) [5-0] s up aganst a new challenge. To solve the problem whch the hgh-speed envronment brngs, we proposed a payload-adapt IDS framework n IPv6/4 envronments. The whole framework s smply descrbed by fgure. Collaboratve Analyss and Control Centre Keyword: IDS, IPv6, false postves rate, false negatves rate, Payload-adapt and Petr net.. INTRODUCTION In IPv4, Intruson Detecton technology has been studed by many people. But n IPv6, the relevant research s stll smaller. More manufacturers smply transform exstng products n IPv4 nto supportng IPv6. Some new characters n IPv6 as well as the ssue of network securty have not fully taken nto account. Therefore, the ntruson detecton research on IPv6 wll be the future drecton of development. Ths paper s IDS research on the IPv6 []. To enhance the detecton speed, Qan Tang [2] and Xaofeng Ren [3] proposed ther own ntruson detecton method respectvely, but those methods have some dsadvantage. In ths paper, we propose a payload-adapt ntruson detecton method. By usng the decson-tree-based classfcaton method, a rule matchng tree adapt to load characterstc s created dynamcally, whch mproves the detecton effcency. It s carred out by the Rule Matchng Tree Generaton n the Payload-adapt Analyss, whch s a very mportant part of our system. Collaboratve analyss and control center s the hgh level of the overall framework, t use Petr nets [4] to model complex attacks to generate rules to mprove the accuracy of alert and lower false postves rate and false negatves rate. Payload-adapt Analyss Data Collector Data Source (gh-speed IPv6/4 Network) Fg.. Payload-adapt IDS Framework under IPv6/4 Envronment From fgure we can fnd, the entre framework s composed of three parts, whch ncludes Data Collecton, Payload-adapt Analyss, and Collaboratve Analyss and Control Centre. Each part s one knd of loose couplng relaton and all parts are mutually ndependent wth each other. The framework can be realzed by dstrbuted archtecture and used to solve mass data detecton problems under the large-scale hgh-speed network envronments. The man functon of the data collecton module s to collect data from the entre network and send t to the other modules. For the collector n dstrbuted archtecture, ts man task s to obtan more comprehensve and accurate crtcal nformaton.

Payload-adapt analyss module s used to analyze the raw data from data collector and gve the smple analyss of attack and send the results to other modules. Payload-adapt analyss module s made up of the module that generates the rule-matchng tree, payload-adapt rule-matchng tree structure, payload-adapt detecton module, secure communcaton module, response mechansms, data formattng and confguraton management module. The framework s smply showed by fgure 2. Collaboratve Analyss and Control Centre Secure Communcaton Data Formattng Response Mechansm Rule Matchng Tree Generaton Management Confguraton Center Payload-adapt Detecton Analyss Payload-adapt Rule-matchng Tree Fg.2. Payload-adapt Analyss Complcated Intruson Rule Lbrary Complcated Intruson Analyzer Storage Center Secure Communcaton Payload-adapt Analyss Alarm Response Control Center Management Confguraton Center Fg.3. Framework of Collaboratve Analyss and Control Centre Collaboratve analyss and control centre, showed as fgure 3, s the hgh level of the overall framework. It uses Petr nets[5] to model complex attacks and generate rules from complex attacks whch are used to detect nformaton from low-level alarm. Because we use the technology such as alarm correlaton, nformaton fuson to enhance credblty of alert, t may mprove the accuracy of alert and has lower false postves rate and lower false negatves rate to resolve the problem that current IDS faced. 3. PAYLOAD-ADAPT INTRUSION DETECTION METOD AND TE RELATED MODULES Important s Related to the Method Rule Matchng Tree Generaton : Accordng to the sample traffcs and rule sets of real acquston, on the bass of protocol analyss, ths module generates a rule matchng tree by the mproved decson tree method. For each event or the package whch need to be detected, make the number of rule sets detected to be fewest, and acheve the goal of mprovng the detecton speed as soon as possble. Payload-adapt Rule-matchng Tree: Ths s a data structure for savng the new rules set. It s generated by Rule Matchng Tree Generaton and also s the analyss base of the Payload-adapt Detecton Analyss. Payload-adapt Detecton Analyss : The module s the core of Payload-adapt Analyss, whch s responsble for the analyss of the data collected from data acquston module. Accordng to the rule matchng trees adapt to load characterstc generated by rule matchng trees, t determne the rule for sets each event or the package whch can be detected, and then match rapdly to each event or the package. By usng the msuse detecton technology to detect data packets quckly, fnd the attack packets of known attack types. Send the detected attack nformaton to the response mechansm module, after the data formatted treatment, and then send to the collaboratve analyss and control center for the further processng. Thus t reduces the mstake and falure rate as soon as possble, and mproves the accuracy of detecton. Payload-adapt Intruson Detecton Method By analyzng current detecton method, we can draw the concluson that network envronment change and rule classfcaton asymmetry would serously affect the IDS detecton speed, even we adopt the current popular protocol analyss technology. For hgher performance, we argue IDS should adapt the traffc characterstcs and rule characterstcs. Lke the protocol analyss method, we pre-treat the data receved through the value of protocol felds. On the bass

of whether the values of protocol felds match to the packets or not, the sets of the applcable rules are determned. The dfference s that our approach s to use the characterstcs of traffcs and rules to classfy rules. Because of the lmt of the memory, we can t choose all protocol characterstcs, and can t mantan all values for every protocol feld. Therefore, we buld a mathematcal model to solve ths problem. Defnton : Rk refers to a specfc rule n rules set R. r r2 r That s R ( n k = F = V F2 = V2 L Fn = Vn ), n whch n refers to the number of feld wth avalable rules; F refers to the th feld of the rule, j [ K n] ; V refers to the j th value of the th feld of the rule; K refers to the rules number of the rules set, k K. Defnton 2: P s the set of the subset of the rules set. That s P = { P, P2, L P }, n whch P s a subset of the rules set R, and P = P = n whch [ K ]. ere we say P s a category of the rules set. Defnton 3: Num( P ) refers to the number of the packets who satsfy the th rules subset P n the example traffc S, n whch S s a set of some data packets, and refers to a sample of the actual network traffc. Defnton 4: Bk s the tme used to detect that whether the specfc data packets satsfy the rule Rk n the rules set. Defnton 5: T ( P ) refers to the tme used to detect all data packets satsfed by the th rules subset P of the category P n the rules set R n traffc S. Formula : T ( P) = Num( P ) B, n k k K Rk P whch Num( P ) reflects the affecton of the load to detectng effcency and Bk reflects the k K Rk P affecton of the rules to the detectng effcency. Defnton 6: M ( P ) refers to the memory used to save the rules of the th rules subset P of the category P. So for an actual traffc S we may present the relatonshp of categores, detecton effcency and the memory by usng the formula as follows. Suppose that refers to the number of categores of all rules and th category of the rules, [ K ]. P refers to the Formula 2: SupposeT refers to the tme used to detect the example traffc S n the condton of category P. Then T = T( P). = Formula 3: M refers to the memory used to save all detecton rules set R n the condton of category P. Then M = M ( P). = Theoretcally, f the memory s unlmted, the best project s that makngt mnmum. But actually t s mpossble. * We have to fnd out the category P satsfed T s mnmum by comparng the category set P composed by dfferent rule felds. That s the project we need. Formula 2 and 3 gve us a judgment method of comparng the advantages and the dsadvantages of dfferent projects. Inducton of the traffc gves us a new llumnaton. The problem proposed before can be solved theoretcally. The followng s the generaton algorthms of payload-adapt rule matchng tree: we proposed. We suppose as follows: the memory savng the data s fxed; the tme s fxed, whch s used to detect whether a data packet matches the rule R n the rules set; N refers to the number of the rules n rules set R, and R NT refers to the number of the data packets n example traffc S, and then we defnte that E p refers to the present of the rule number detected by each packet averagely n the whole rules number after takng P category, that s E = N /( N + N ). p p R T Generate_Rule_tree produces a rule tree through the assgned rule sets and traffc sets. Input: rule sets, rules; traffc sets, traffcs; respectvely presented by the correspondng dscrete attrbute values; the attrbute lst composed of the canddate rule feld, attrbute lst. Output: a rule tree. Algorthms as follows: Buld node N; IF attrbute_lst s empty TEN Back to N as the leaf node; Mark rules for the general category; // recursve end Calculate the Gan(P) of each attrbute n attrbute_lst; IF the attrbute whch s meet to the condton exsts test_attrbute TEN Mark node N for test_attrbute; ELSE k

Back to N as the leaf node, mark rules for the general category; // recursve end FOR the value v n each test_attrbute //demarcate rules Buld a branch node for the test_attrbute = v as a condton over the node N; Rnum = the meet condton rule number, and conduct the rules; Tnum = the meet condton packet number, and conduct the traffcs; IF Tnum == 0 TEN Back to node N as the leaf node, nto the next cycle; Assume R to be the rule sets of test_attrbute = v n rules; // a dvson Assume D to be the traffc sets of test_attrbute = v n datas; // traffc dvson Generate_Rule_tree (R, D, attrbute_lsttest_ attrbute); Next; Cancel the mark of node N; 4. USING PETRI NET TO LOWER FALSE POSITIVES RATE AND FALSE NEGATIVES RATE FURTER Accordng to the ntermedate detecton results from each sub detecton center reports, the complex ntruson analyzer based on Petr nets takes full use of the complex attack model represented by Petr nets model to carry on alarm nformaton fuson, comprehensve analyss and reduce the mstake and falure further. Fgure 4 descrbes the detecton process. Suspcous Behavor Lbrary Complex Intruson Rule Lbrary Pattern Matchng Devce Suspcous Behavor Judgment Devce Bottom Suspcous Informaton Alarm Response Fg.4. Analyss process of Complex Intruson Analyzer based on Petr net In fgure 4, the suspcous behavor lbrary s a tree structure. The root node ponts to the rules whch come from the complex ntruson rule lbrary watng for analyzng (added dynamcally by the pattern matchng devce based on Petr nets). It presents the referrng rules tracked by suspcous behavors. The lower nodes record the nstances satsfyng ths rule. They represent the beng tracked and specfc suspcous behavors currently, contanng multple sub nodes of suspcous behavors. Those who are suspcous behavors needed to be further proved, have done the partal correct match to the Petr nets rules corresponded by each attack behavor. The suspcous behavor judgment devce carres on the further match to every rule nstance whch s n process n the suspcous behavor lbrary by usng the bottom suspcous nformaton as the nput. If the match s satsfed, t refers to the relablty of attack behavors s ncreasng. If t's judged to be the ntruson, alarm to the manager through the alarm response module. Otherwse, send to the s to carry on processng. Accordng to the suspcous nformaton needed to be judged whch s sent by the suspcous behavor judgment devce, the pattern matchng devce based on Petr net extracts satsfed rules from the complex ntruson rule lbrary based on Petr nets to carry on the comparson wth the rules (2nd level nodes) of suspcous behavor lbrary. If they are matched, create the specfc nstance to the correspondng node. Otherwse create the rules and ts frst new nstance under the nodes for the later matchng operaton. 5. EXPERIMENTAL RESULTS AND ANALYSIS To prove our solutons are feasble and effectve, we developed two components on the bass of Snort to realze the payload-adapt ntruson detecton method. The frst component s the rule matchng tree generaton module carred on by usng decson tree classfcaton method, whch generates the payload-adapt rule matchng tree accordng to the actual network traffc S and the avalable rules sets R. The second component locates the avalable examnaton rule sets of each event or packet to take the rapd rule match to them by usng payload-adapt rule matchng tree and the search process of the decson tree. We collect datum of the three perods and respectvely use Snort [] and our mproved Snort (PASnort for short) to carry on experments. The data obtaned from experments are recorded n fgure 5. In fgure 5, the long strps refer to the detecton effcency P, whch presents wth the amount of dsposng packets per second. The start workng tme of detectng s represented wth Tstart. The end tme of detectng s represented wth Tend. Num refers to the tmes of the detecton module beng called, that s the amount of packets. Then, P = Num / (Tend-Start).

Data Data2 Data3 0 20000 40000 60000 80000 PASnort Snort Fg.5. Detecton Effcency The experment ndcates (Fgure 5): When the features of smple packets are smlar to the characterstcs of traffcs detected, the detecton rate of our approach ncreased by nearly 20% compared to the orgnal method. When the features of smple packets and the characterstcs of traffcs detected have few dfferences, the detecton rate also ncreased but only a lttle. owever, t sn t lower than the detecton rate of Snort, whch fully proves our soluton s effectve. Meanwhle, we appled our framework to the Web-Based Teachng System developed by ourselves. For at the hgh level we use Petr net to establsh rule lbrary, we can reduce the false postves rate and the false negatves rate of the alarm nformaton at lower level, ncrease the relablty of detecton at hgh level and the ntruson detecton accurate by detectng complcated attacks and correlated attacks through the nformaton ntegraton and alarm correlaton technology. On the other hand, ths can also reduce the burden of network admnstrators. 6. CONCLUSIONS In ths paper, a payload-adapt IDS framework n IPv6/4 envronments s establshed. By usng Payload-adapt Intruson Detecton Method proposed n the paper, the Payload-adapt Analyss of the framework s realzed. It can be utlzed to solve the hgh packet-loss problem. In addton, the Collaboratve analyss and control center uses Petr nets to model complex attacks to generate rules to mprove the accuracy of alert. The experment proves that our solutons are feasble and effectve to resolve the problems of hgh false postves rate and hgh false negatves rate that current IDS faced. [3] Ren Xaofeng, Dong Zhanqu, Research and Implementaton on Increasng Speed of Rule-matchng n Snort, Computer Applcatons, 2003, 23(4): 59-6. [4] Wolfgang Resg, Petr nets, Berln; Sprnger-Verlag, 985. [5] D.E.Dennng, An ntruson-detecton model, IEEE Transactons on Software Engneerng, Vol. 3, No. 2, 987, pp. 222-232. [6] J.Frank, Artfcal Intellgence and Intruson Detecton: Current and Future Drectons, Proceedng of the 7th Natonal Computer Securty Conference, 994. [7] Rchard P. Lppmann, Davd J. Fred, Isaac Graf, Joshua W. anes, Krstopher R. Kendall, Davd McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunnngham, and Marc A. Zssman, Evaluatng Intruson Detecton Systems: the 998 DARPAOff-Lne Intruson Detecton Evaluaton, Proceedngs of the 2000 DARPA Informaton Survvablty Conference and Exposton(DISCEX), Vol.. [8] J.P.Anderson, Computer Securty Threat Montorng and Survellance, Techncal report, James P Anderson Co. Fort Washngton, Pennsylvana, 980. [9] eberlen, L. et al., A Network Securty Montor, Proceedngs of the IEEE Computer Socety Symposum, Research n Securty and Prvacy, 990, pp. 296-303. [0] Roy A.Maxon, Kyme M.C.Tan, Benchmarkng Anomaly-Based Detecton Systems, Internatonal Conference on Dependable Systems and Networks (DSN 2000), 2000. [] Q Jandong, Tao Lan, Sun Zongcan, Dssectng Snort, tool for ntruson detecton, Computer Engneerng and Desgn, 2004., pp. 36-39. 7. REFERENCES [] Marcus Goncalves, Ktty Nles, IPv6 networks, New York: McGraw-ll, 998. [2] Tang Qan, Zhang Dafang, uang Kun, Usng Gan-rato Based Decson Trees to Improve Intruson Detecton, Computer Engneerng, 2006, 32(7): 46-48.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback