INTRUDER DETECTION MONITORING APPLICATION USING SNMP PROTOCOL

8-02 Intruder Detection Monitoring Application Using Snmp Protocol INRUDER DEECION MONIORING APPLICAION USING SNMP PROOCOL Vicky Hanggara 1, ransiscus Ati Halim 2, Arnold Aribowo 3 1,2,3 Computer System Department, aculty of Computer Science, Universitas Pelita Harapan Jl. M.H hamrin Boulevard 1100 Lippo Village, angerang 15811 Orophin_alcarin@gmail.com, fransiscus.halim@uph.edu, arnold.aribowo@uph.edu ABSRAC Simple Network Management Protocol (SNMP) is a standard protocol that can be used to monitor computer network. SNMP has packages that contain network information, but it has a weak defense. SNMP only has a community string that serves as a password to protect the network from intruders. he Intruder is someone that enters the network without permission. herefore, additional protection is required to protect it from intruders. he main purpose of the research is to create an additional protection for a network monitoring application that based on SNMP. his additional protection is called as intruder detection. Intruder detection can detect computer with different community string and blocked the computer connection to another subnet. Intruder detection also has allow and block facilities which can be used to allow intruder connection or block user with different subnet connection. Based on the test result, the percentage of successful delivery and acceptance of SNMP packets on a computer with four IP addresses test is eighty five percent. rom the experiment, it can be concluded that intruder detection application can detect intruder with different community string and block the connection to another subnet including internet connection. Keywords: SNMP, Computer Network, Intruder Detection 1 INRODUCION oday, the number of computers available has grown rapidly, because the numbers are so much, the monitoring network to find computers on the network conditions become more difficult. Network monitoring applications can be used to facilitate monitoring networks with multiple computers. Network monitoring application is an application that can monitor whether the condition of the computer is still active or not, and look at the computer specifications Simple Network Management Protocol (SNMP) is a protocol that is widely used to make computer network monitoring applications. SNMP can retrieve information from computer such as IP address, host-name, capability, contact, location, description, CPU usage, memory usage, hard disk information, system up-time, and open ports. Besides the advantages of SNMP that can retrieve information on the computer, SNMP has a weakness on the side of safety. Simple Network Management Protocol (SNMP) is a standard protocol that can be used to monitor computer network. SNMP has packages that contain network information, but it has a weak defense. SNMP only has a community string that serves as a password to protect the network from intruder. Intruder is someone that enters the network without permission. herefore, additional protection is required to protect it from intruder. his paper emphasizes the discussion on the research to utilize the SNMP protocol in the contribution of intruder detection application development. 1.1 Related Work Initially intruder attempts to break into an information system or performs an action not legally allowed to take, it is called instrusion. he intruder may come from outside, or the intruder maybe an insider, who exceeds his limited authority to take action. Whether or not the action is detrimental, it is of concern because it might be detrimental to the health of the system, or to the service provided by the system [1]. Currently there are two basic approaches to intrusion detection : anomaly detection and misuse detection. Anomaly detection is based on the normal behaviour of a subject (e.g., a user or a system), any action that significantly deviated from the normal behaviour is considered intrusive. he second approach, called misuse detection, involves characterizing known ways to penetrate a system. Any action that conforms to the pattern of a known attack or vulnerability is considered intrusive[2]. 275

he Proceedings of he 7th ICS, Bali, May 15th-16th, 2013 (ISSN: 9772338185001) he main purpose of the research is to create an additional protection for a network monitoring application that based on SNMP using community string of SNMP packets. 2 MODEL, ANALISYS, DESIGN, AND IMPLEMENAION SNMP is used as the primary protocol for almost all computers that already have SNMP. SNMP also has a short command that can be used to retrieve information from a computer. o cover the weaknesses of SNMP on the security side, it takes an additional examination for defense that SNMP can be used with better network monitoring applications into the computer network. If the computer is not a computer that is supposed to be connected to the network, then the connection from the computer is blocked. Additional defense can be called intruder detection. Intruder detection will check each computer into the network that is being monitored, and will block outgoing connections subnet (including the internet) of the computer that should not be located on the network. Intruder detection also has facilities that allow functions to give access permissions on the computer including the intruder, and facilities block that function to block access permissions on the computer. Allow facilities can be used to connect to the guest access rights as intruders. Block can be used to block connections from users who use the connection incorrectly, such as watching videos online during working hours. 2.1 Address Resolution Protocol(ARP) Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. or example, in IP Version 4 (Ipv4), the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (he physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. [3] A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. his is used to identify and monitor the packet communication across the network. [3] igure 1. ARP Mechanism or example, host A will send ping packets to the host D. As a first step, host A will send an ARP request with the message " where IP 1.1.1.254? Please tell to IP 1.1.1.1 ". IP 1.1.1.254 is the gateway of the host A. ARP request is sent in a broadcast IP 255.255.255.255. Router A has an IP 1.1.1.254 and will send a reply with the message "1.1.1.254 for MAC address AB-AB-AB-AB-AB- AB". hen Host A received and reply it by sending a ping packet to host D which has unicast IP 2.2.2.2 with a destination MAC address router AB-AB-AB- AB-AB-AB. he router will send an ARP request to the router interface that has the same subnet as the host D to switch B. Switch B will forward messages from the router to the host C and host D. Host D that gets the message will give reply with the message "there is the MAC address 2.2.2.2 dddddd". urthermore, router A will ping packet forwarding derived from host A to host D with the source MAC address of the router and the destination MAC address of the host D. 2.2 ARP Spoofing In a switched network environment, packets are sent to their destination port by MAC address. his requires that a hardware is able to create and maintain a table associating MAC addresses to ports. In a switched environment, packets are only sent to devices that they are meant for [4] ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network. his allows an attacker to monitor data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether 276

8-02 Intruder Detection Monitoring Application Using Snmp Protocol his technique involves sending fake ARP to the LAN Ethernet. he goal is to have the device on the network of associations attacker's MAC address with the IP address of another host on the network. raffic destined for the target will be redirected to the attacker machine. In many cases the attacker will strike a particular service or a part of the network infrastructure such as the default gateway or proxy server. If successful, traffic intended for a specific IP address on the host will stop any attacker ARP spoofing mainly gets following types: internal / external network sniffing, interception, malicious attack [5] 2.2.1 Sniffing Sniffing is the type of attack in which the attacker inserts itself between the two communicating hosts to obtain the message. o prevent the communication halt, the attacker will retransmit the message between the two hosts ceaselessly. here are two kinds of sniffing internal network sniffing and external network sniffing [5] Assume host A and host B are in the same network and will communicate with each other, the host C is out of the network, as illustrated in ig.2. If the attacker C wants to sniff the communication content between host A and host B, it must pass the router. Considering the message survival time from inside net to outside net, the attacker modifies its L of IP grouping to make sure it has enough time sending out response package to the destination host. he host C sends out an ARP response package to host A [5] network without prior SNMP set also will be recognized as an intruder. he low diagram of the Intruder detection is depicted in the following figure: Waiting and Reading ARP packets received Are Packets originating from the same subnet as the interface, and have not been Registered in the list of devices detected Host status with the IP is an intruder Send SNMP packets for verification Reply snmp package correctly? Host status with the IP is not an intruder Start Choose an interface that will be used Collect the necessary interface information (IP address, Mac address, Gateway IP and Mac Address) Is Information in the interface d complete and can be used? Configuring Static ARP gateway to the computer running the program Making 'hread' to Reading ARP Set the filter to only read ARP packets Stop Send ARP request packets to all IP addresses on the subnet Reading Status Each Computer Intruder? Send ARP packets to fake gateway igure 3. lowchart Intruder Detection Application igure 2. Internal/ External network Sniffing 2.3 Intruder Detection Design Any intruder, who is not supposed to get into the network, will be sent spoofed packets by using ARP spoof application so an intruder cannot connect out of the subnet. Intruders are usually detected as incorrect community string when SNMP set on the computer. Computers or devices that connect to the On the intruder detection application, there are also having allowed and block facilities. Allow facility is used to allow outgoing connections permissions subnet, such as a connection to the internet, while the block is used to block outgoing connections permissions subnet. Initially, users of the application will be prompted to select the network interface to use. After that, the necessary information from the interface such as IP address, MAC address, gateway IP and MAC addresses will be collected. If this information cannot be obtained, then the process will stop. If the information has been obtained entirely, the application will execute the static ARP configuration to the gateway on a computer running network monitoring applications. Computer running intruder detection application will 277

he Proceedings of he 7th ICS, Bali, May 15th-16th, 2013 (ISSN: 9772338185001) configure the static ARP so that the computer is not deceived when spoofing the intruder's computer. he next process is to create two threads to read the ARP. hreads that have been made will run different processes. he first thread will be filtered to only read ARP packets. his thread will wait and read ARP packets received. ARP packets received will be checked whether the ARP packet coming from a same subnet interface and is not listed in the computer detected. If true, SNMP packets will be sent for verification. If the SNMP packet is returned correctly then the host is not the intruder. Conversely, if the package is not returned, then the status of the host is an intruder. he second thread is used to send ARP request packets to all IP addresses on the subnet. After sending ARP packets, each ARP packet delivery status obtained will be read. If there is a computer that is detected as an intruder, then the ARP packet delivery process will be executed to manipulate the gateway address. he address of the computer running application monitoring will be declared as the gateway to the computer that is detected as an intruder. 2.4 Implementation Intruder Detection in network monitoring applications Intruder detection function is to find a computer on a network that does not enable the SNMP or have a different community than it should be. Computers that are experiencing the problem will be treated as an intruder. As the intruder, access to connect to the Internet and another subnet network will be blocked. he Allow target provides access to connect to the internet and another subnet, while the block target can block access to connect to the Internet network and the networks found on another subnet. he Allow target and the block target can be used for specific situations, for example if there are guests who wish to exercise the right of access to a network connection and are detected as an intruder. Another example is the workers who play online games during working hours may be blocked connection permissions. Intruder detected will immediately connect privileges blocked his exit subnet as shown in igure 4. All computers that connect to the network and have different community strings will be treated as intruders. 'Allow arget and Block arget button can be used to provide access permissions or blocking access permissions as described above. he user can be given permissions or blocked connections Other tests were performed to prove the intruder detection port blocking on whether it succeeds or fails. Port 80 is used in this test igure 4. Intruder Detection Application As illustrated in igure 5, it shows a selection of Allow arget and Block arget buttons to allow or deny access according intruder or user role. Access rights to the network connection will be blocked automatically when an intruder was found while the legal user will be granted access to a network connection anywhere but users can be blocked by using a target block to anticipate users who play at work. Examples of blocked user can be seen in igure 6. igure 5. PC-Host Vic-PC allows connection In igure 5, Hostname Vic-PC with IP address 192.168.2.2 role as user gets the status of "allowed" while the hostname unknown with IP address 192.168.2.4 role as an intruder will block connections automatically 278

8-02 Intruder Detection Monitoring Application Using Snmp Protocol igure 6. PC-Host Vic-PC has blocked In igure 6, it can be seen a computer with hostname vic-pc with role as user have been blocked. Computers that have been blocked access permissions can be given by pressing buttons allow target like the one in igure 6. A computer identified as the intruder may be allowed access by pressing 'allow target' button on the screen position pointing address 'intruder'. Here is a sample picture of the vic-pc connection before and after blocking connection igure 8. PC-Host Vic-PC Blocked connection network Activities igure 8 shows port 80 is connected to an internet web site with the IP 209.85.175.99 and has the status of 'synsent' which states that the hosts 'vic-pc' has sent the request message but did not receive a reply from the website. After a few moments with synsent status, the relationship between the host connection vic-pc with internet website will be closed. 'Refresh' button will update the ports that are opened and used on the computer that is being monitored igure 7. PC-Host vic-pc Allow connection network Activities In figure 7 hostname vic-pc connected through port 80 and has established status. or example, port 80 is shown connected to an internet site with the IP 209.85.175.99. While the vic-pc connection that has been blocked can be seen in igure 8 below. 3 RESUL esting is done by calculating how much percentage of successful delivery and acceptance of SNMP packets by monitoring CPU usage and memory usage periodically on the application. SNMP package for CPU usage and memory usage will change every minute. If the sending and receiving SNMP packets can be done successfully, then the value of CPU usage and memory usage of the application will be updated. ests performed ten times on all computers on the network. Each computer is represented by IP address. he following tables show the percentage of successful test results for sending and receiving SNMP packets for each computer. 279

he Proceedings of he 7th ICS, Bali, May 15th-16th, 2013 (ISSN: 9772338185001) able 1. Percentage of Successful Send and Receive SNMP Packet Minutes IP Address : 192.168.X.X.2.2.2.3.2.4.2.6 1 success fail success success 2 success success success success 3 success success fail success 4 fail success success fail 5 success success fail success 6 success success success success 7 success success success success 8 success success success success 9 success fail success success 10 success success success success Percentage 90% 80% 80% 90% Based on the test results, the percentage of successful delivery and acceptance of SNMP packets on a computer with IP address 192.168.2.2 and 192.168.2.6 is ninety percent. While on the computer with the IP address 192.168.2.3 and 192.168.2.4 has eighty percent success percentage. Success criteria are a condition in which the information about CPU usage and memory usage can be retrieved and displayed in the application. ailure criterion is a condition in which the information about CPU usage and memory usage fails retrieved and displayed, so that the application is displayed on the screen is the number "0". ailure sending and receiving SNMP packets is caused by the use of inadequate router or computer that is used to execute the application has limited processor and memory resources so that the performance of the computer is not optimal. REERENCE [1] A.Jones, R.Sielken, Computer System Intrusion Detection: A Survey, Journal of Computer Science, Univ.of Virginia, Charlottesville, Virginia, eb 2000 [2] P.Ning & S.Jajodia, Intrusion Detection echniques, echnical Report, North Carolina State University & George Mason University, https://alexids.googlecode.com/ files/idechniques.pdf (viewed 14 eb 13) [3] D.Parameswari & R.M Suresh, ARP Protocol Sequence Analysis for Intrusion Detection System, Int l J. of Reviews in Computing, 2010, 23-33 [4] D.Dodd, Network Security: Arp Cache Poisoning and Sniffing Packets, Security Article, 2011, http://security.syscon.com/node/1945802, (viewed 14 eb 2013) [5] Y.Liu, K.Dong, L.Dong, and B.Li, Research of the ARP Spoofing Principle and a Defensive Algorithm, Int l J. of Communications, Dec 2007, 143-147 4 CONCLUSION he application is made to meet the following criteria: intruder detection application can detect intruders on the network being monitored, able to block and give permissions to connect to the Internet and LAN networks. Based on the test result, the percentage of successful delivery and acceptance of SNMP packets on a computer with four IP addresses test is eighty five percent. urther research is recommended to build an application so that intruder detection application will be able to monitor CPU usage and memory usage periodically, and be able to monitor the status of system uptime and ports that are open to facilitate network administrators to monitor network computers 280