Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques

Similar documents
Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Taxonomy of Intrusion Detection System

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

INTRUSION DETECTION SYSTEMS and Network Security

Network Based Intrusion Detection Using Honey pot Deception

IDS / IPS. James E. Thiel S.W.A.T.

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

How To Protect A Network From Attack From A Hacker (Hbss)

Architecture Overview

A Review on Network Intrusion Detection System Using Open Source Snort

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

An Inspection on Intrusion Detection and Prevention Mechanisms

System Specification. Author: CMU Team

NETWORK INTRUSION DETECTION SYSTEM USING HYBRID CLASSIFICATION MODEL

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Intrusion Detection System (IDS)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

SURVEY OF INTRUSION DETECTION SYSTEM

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

HOST BASED INTERNAL INTRUSION DETECTION AND PREVENTION SYSTEM.

Introduction to Cyber Security / Information Security

A NOVEL APPROACH FOR PROTECTING EXPOSED INTRANET FROM INTRUSIONS

Intro to Firewalls. Summary

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Network Intrusion Detection System for Denial of Service Attack based on Misuse Detection

Second-generation (GenII) honeypots

Intrusion Detection for Mobile Ad Hoc Networks

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

A survey on Data Mining based Intrusion Detection Systems

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Network Access Security. Lesson 10

Comparison of Firewall and Intrusion Detection System

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Role of Anomaly IDS in Network

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

HIDS and NIDS Hybrid Intrusion Detection System Model Design Zhenqi Wang 1, a, Dankai Zhang 1,b

An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing

Application of Data Mining Techniques in Intrusion Detection

Introduction of Intrusion Detection Systems

Intrusion Detection System using Log Files and Reinforcement Learning

Intrusion Detection Systems

74% 96 Action Items. Compliance

CHAPTER 1 INTRODUCTION

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Volume 3, Issue 3, March 2015 International Journal of Advance Research in Computer Science and Management Studies

Science Park Research Journal

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

A Survey on Intrusion Detection System with Data Mining Techniques

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Lesson 5: Network perimeter security

IPS Anti-Virus Configuration Example

INTRUSION DETECTION SYSTEM FOR WEB APPLICATIONS WITH ATTACK CLASSIFICATION

CSCE 465 Computer & Network Security

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Observation and Findings

KEITH LEHNERT AND ERIC FRIEDRICH

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Banking Security using Honeypot

Intrusion Detection Systems

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

IDS : Intrusion Detection System the Survey of Information Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Network Security Management

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Firewall Environments. Name

Lab Configure IOS Firewall IDS

8. Firewall Design & Implementation

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Intrusion Detection Systems

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Intrusion Detections Systems

HYBRID INTRUSION DETECTION FOR CLUSTER BASED WIRELESS SENSOR NETWORK

An Overview of Intrusion Detection System (IDS) along with its Commonly Used Techniques and Classifications

THE ROLE OF IDS & ADS IN NETWORK SECURITY

CSCI 4250/6250 Fall 2015 Computer and Networks Security

How To Protect Your Network From Attack

Transcription:

www.ijcsi.org 387 Speedy Signature Based Intrusion Detection System Using Finite State Machine and Hashing Techniques Utkarsh Dixit 1, Shivali Gupta 2 and Om Pal 3 1 School of Computer Science, Centre for Development of Advanced Computing, 2 School of Computer Science, Centre for Development of Advanced Computing, 3 Senior Technical Officer, Centre for Development of Advanced Computing, Abstract This paper proposes a secure system designs for clientserver based communication systems. In this system, security services are implemented on server, as generally data received on the servers contains malicious contents. The technique that we used is to perform speedy intrusive signature matching received inside a network with the known signatures from the training database. Probable intrusive signatures, which get filtered from hash value matching, are exposed to a finite state model that inspects those signatures against a finite automaton. Other systems like anomaly based detection may not detect all malicious activity signatures. Also, we have taken a note to reduce the false positive rate to nil while implementing the system which gets generated in other detection systems during the communication process. The proposed system works on a client-server based model. Keywords-Signature matching, Finite State Machines, Hashing, Host based IDS, Mid-Square Method 1. Introduction With the increase in the number of users and the type of facilities they require, the number of computers and in turn the number of networks has also increased drastically. And as there always exists some shortcomings with every technology, network security is also not untouched with it. Thus, network intrusion presents a serious problem for network security as malicious users always look forward to disrupt the services and cripple the capability of the network. Though other methods like Windows firewall, Virtual Private Network or various encryption techniques exists which offer network security, but they have limited capability as they are somewhat static in nature. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion detecting system, for the purpose of dealing with IT, can be categorized broadly into two categories: Network based IDS: is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Host based IDS (HIDS): It consists of an agent on a host that identifies intrusions by analysing system calls, application logs, file-system modifications (binaries, password files, capability databases,

www.ijcsi.org 388 Access control list, etc.) and other host activities and state. In a HIDS, sensors usually consist of a Software agent. Some application-based IDS are also part of this category. Intrusion detection activity is classified into two categories: Anomaly Detection: is the attempt to identify malicious traffic based on deviations from established normal network traffic patterns. Misuse Detection: is the ability to identify intrusions based on a known pattern for the malicious activity. In this work, we have used host based signature detection system which uses the received packets to decide the intrusive activity along with exposing the known signatures to Finite State Machines so as to clearly decide the existence of the malicious activity into the system. The goal of the research is to analyse various signature based techniques of Intrusion Detection so that a robust system can be developed. Rest of paper is organized as follows: in next section related work is presented. In Section 3, proposed scheme is given. Section 4 concludes the paper and in last reference section is given. 2. Related Work James P. Anderson [1] studied the purpose of improving the computer security auditing and surveillance capability of the customer system. Mohammadreza Ektefa [2] proposed to use data mining techniques including with classification tree and support vector machines for intrusion detection. Kingsly Leung [3] introduced grid based and density based cluster approach for separating frequent item sets from non frequent item sets and they used their density based support mechanism for identifying unseen attack in anomaly detection. [4] R. Li, and W. M. Pan, introduced sequence based anomaly detection approach. [5] Karen Scarfone & Peter Mell discuss various issues regarding Intrusion detection and prevention systems. In this paper, proposed scheme uses combination of hashing technology for faster detection of intrusion with finite state machine for reduction of false alarm. It uses the Mid Square Method for implementing hashing. The Mid Square method of hashing can be understood as follows: Mid Square Method The middle-square method [6] is a method of generating pseudorandom numbers. The method originated with John von Neumann, and was notably described at a conference in 1949. It is a hash function which uses integer keys values. The mid-square method squares the key value, and then takes out the middle r bits of the result, giving a value in the range 0 to 2 r -1. This works well because most or all bits of the key value contribute to the result. For example, consider records whose keys are 4-digit numbers in base 10. The goal is to hash these key values to a table of size 100 (i.e., a range of 0 to 99). This range is equivalent to two digits in base 10. That is, r = 2. If the input is the number 4567, squaring yields an 8-digit number, 20857489. The middle two digits of this result are 57. All digits of the original key value (equivalently, all bits when the number is viewed in binary) contribute to the middle two digits of the squared value. Other Hashing Methods: Modulus Method: Also known as modulo arithmetic method, it uses H: Key ----> Integer Index scheme for calculating hash values. E.g. if table size is 100 3 Digit numbers are the keys, 999 possible items, Indices 0..99 on the table 999 % 100 = 99 (100 is Table size), 524 % 100 = 24 etc. Folding method: In the folding method, the key is divided into two parts that are then combined or folded together to create an index into the table. This is done by dividing the key into parts where each of the parts of the key will be of the same length as of the desired key. E.g. using the SSN 987, 654, 321, and then add these together to get 1962. We then use either division or extraction to get a three digit index.

www.ijcsi.org 389 Finite State Model: A Deterministic finite automata is defined by quintuple D=<Q,,, q 0, F> where Q= Finite set of non-empty states = Finite set of input alphabets The transition function,, where S= Q Start State, q 0 Q A set of accept states, F Q are stored in some other file. Signature hash value calculation is done using the Mid-Square technique and stored in a file. This phase takes into account the length of the virus signatures for matching. Comparison of the hash values from the training database was performed easily. The received data, which did not match this first criteria was considered clean and free from intrusion. Phase III: The filtered data which passed second phase check was further investigated by exposing the signature strings to the finite state models and depending on the outcomes of the machine the alarms are generated. Analysis: 3. Proposed Scheme The overall working strategy is broadly divided into three phases. They are: (i) Formation of a training database of virus signatures and calculation of their hash values. (ii) Calculation of hash values of the received data from the client. Thereafter performing speedy signature matching using Mid-Square Method of Hashing (iii) Implementing a deterministic finite automaton for the filtered signatures for reduction of false positive and false negative alarm. Phase I: During the development of the presented system, we analysed the techniques of host based Signature detection system. The developed system is implemented on a server in a client-server environment. The server module maintains a virus signature database file. It also keeps a log of data packets sent by the client. The data received is initially stored in a file in the 15-bit binary format. This format will help resolving collisions that will occur while storing same-length but different virus signatures. Phase II: The processing of the received data is commenced by extracting the virus database signatures which The steps we followed in detecting intrusion are as follows: 1. First of all, as a prerequisite a client-server model is established via socket programming, having a client module and a server module. 2. We took into account only that communication which is coming from the client side, i.e. data received from client is stored into a separate file in a 15-bit binary notation. 3. Hashing is applied on both the files, i.e. intrusive signature file and received data file. 4. The initial matching is done against the hash values of the intrusive signature with that of data hash values. 5. Based on the result of the matching, the packets are further investigated or assumed clean in the following manner: i) If the hash values are different then we may assume that the data received is free from intrusion and does not require further investigation. This is because our primary criterion is the length of the malicious signature which is stored in our database. ii) If the hash values are same then the data needs further investigation.

www.ijcsi.org 390 Thereafter, the data is exposed to a Finite State Module which inspects it for intrusion. We designed finite automata for each defined signature. It reaches to a final state on input of signature strings of known virus only. To check the working of the system, we sent a known signature named Ah from the client to the server. Taken the signature Ah, Binary equivalent= 100000101101000 Calculated Hash value =7 Received data hash value=7 (we intentionally sent same signature) Signature matched successfully in second phase. After that data is then put on the automata as follows: No No Yes Yes 4. Conclusion Fig2.Depicting System Flowchart Fig1.Single Finite state model of the several intrusive signatures Here, Q= {q 0, q 1, q 2,.., q 15 } = {0, 1} q 0= the initial state F= {q 10, q 14 }, dead state= q 15 such that (q 15,0)=q 15 and (q 15,1)=q 15 Thus the automaton reaches on the final state on input of the intrusive signature i.e. on states q 10 or q 14. The presented automata checks more than one virus signatures (more specifically five signatures). All other signature strings reach to dead state for e.g. strings not starting or not ending with desired input value and so on. Preventing any network from intruders and making it free from malicious contents is of prime concern of the network security analysts. Intrusion detection along with intrusion prevention mechanism support lets any network secure from internal as well as external threats. Introduction of finite deterministic model into security areas like IDS is an innovative approach which can further be enhanced to meet more complex challenges. One of the benefits of using finite state model in our scheme is the usage of single model for same length digital signatures rather using separate models of same length finite automata. Also, by using Mid-Square method for hashing, the result is not dominated by the distribution of the bottom digit or the top digit of the original key value. The only limitation that exists in the presented system is in terms of non functionality of the system against such signatures

www.ijcsi.org 391 which are not defined previously in the training database. Overall, the proposed paper presents an innovative approach in tackling intrusion attempts of a network and efficiently preventing the network from malfunctioning. References [1] James P. Anderson Co.; Computer security Threat monitoring and surveillance, Revised April, 1980 [2] Mohammadreza Ektefa : Intrusion Detection Using Data Mining Techniques [3] Kingsly Leung, Christopher Leckie: Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters. In: 28th Australasian Computer Science Conference, The University of Newcastle, Australia, January 2005 [4] S. Hossain, S. M. Bridges, and R. B. Vaughn: Adaptive Intrusion Detection with Data Mining. In Proc. of IEEE Int l Conf. on Systems, Man and Cybernetics, pp. 3097-3103, 2003 [5] Karen Scarfone & Peter Mell: A Guide to Intrusion Detection and Prevention Systems NIST Special Publication 800-94 [6] Hashing Tutorial: research.cs.vt.edu/avresearch/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information