An IPv6-Oriented IDS Framework and Solutions of Two Problems Wei LI1, Zhiyi FANG1, Peng XU1,and Haiyang SI1,2 1

School of Computer Science and Technology, Jilin University Changchun, 130012, P.R.China 2 Graduate University of Chinese Academy of Science Shenyang Institute of Computing Technology, Shenyang, China [email protected], [email protected]

ABSTRACT In order to lower false positives rate and false negatives rate, a payload-adapt IDS framework in IPv6/4 environments is proposed in this paper. By using the decision-tree-based classification method, a rule matching tree adapt to load characteristic is created dynamically, which improves the detection efficiency. Making use of Petri net to build a mode to the complicated attack behavior, and then form the complicated attack rule library, improve the detection accuracy rate. In the end, the experiment proves our solutions are feasible and effective to resolve the problems that current IDS faced.

2. FRAMEWORK OF SYSTEM With the development of large-scale high-speed internet network attacks and the increasing of the intrusion detection complexity, IDS (Intrusion Detection System) [5-10] is up against a new challenge. To solve the problem which the high-speed environment brings, we proposed a payload-adapt IDS framework in IPv6/4 environments. The whole framework is simply described by figure 1. Collaborative Analysis and Control Centre

Keyword: IDS, IPv6, false positives rate, false negatives rate, Payload-adapt and Petri net. Payload-adapt Analysis

1. INTRODUCTION In IPv4, Intrusion Detection technology has been studied by many people. But in IPv6, the relevant research is still smaller. More manufacturers simply transform existing products in IPv4 into supporting IPv6. Some new characters in IPv6 as well as the issue of network security have not fully taken into account. Therefore, the intrusion detection research on IPv6 will be the future direction of development. This paper is IDS research on the IPv6 [1]. To enhance the detection speed, Qian Tang [2] and Xiaofeng Ren [3] proposed their own intrusion detection method respectively, but those methods have some disadvantage. In this paper, we propose a payload-adapt intrusion detection method. By using the decision-tree-based classification method, a rule matching tree adapt to load characteristic is created dynamically, which improves the detection efficiency. It is carried out by the Rule Matching Tree Generation Module in the Payload-adapt Analysis Module, which is a very important part of our system. Collaborative analysis and control center is the high level of the overall framework, it use Petri nets [4] to model complex attacks to generate rules to improve the accuracy of alert and lower false positives rate and false negatives rate.

Data Collector

Data Source (High-speed IPv6/4 Network)

Fig.1. Payload-adapt IDS Framework under IPv6/4 Environment From figure 1 we can find, the entire framework is composed of three parts, which includes Data Collection Module, Payload-adapt Analysis Module, and Collaborative Analysis and Control Centre. Each part is one kind of loose coupling relation and all parts are mutually independent with each other. The framework can be realized by distributed architecture and used to solve mass data detection problems under the large-scale high-speed network environments. The main function of the data collection module is to collect data from the entire network and send it to the other modules. For the collector in distributed architecture, its main task is to obtain more comprehensive and accurate critical information.

Payload-adapt analysis module is used to analyze the raw data from data collector and give the simple analysis of attack and send the results to other modules. Payload-adapt analysis module is made up of the module that generates the rule-matching tree, payload-adapt rule-matching tree structure, payload-adapt detection module, secure communication module, response mechanisms, data formatting and configuration management module. The framework is simply showed by figure 2.

Collaborative analysis and control centre, showed as figure 3, is the high level of the overall framework. It uses Petri nets[5] to model complex attacks and generate rules from complex attacks which are used to detect information from low-level alarm. Because we use the technology such as alarm correlation, information fusion to enhance credibility of alert, it may improve the accuracy of alert and has lower false positives rate and lower false negatives rate to resolve the problem that current IDS faced.

Collaborative Analysis and Control Centre

3. PAYLOAD-ADAPT INTRUSION DETECTION METHOD AND THE RELATED MODULES Important Modules Related to the Method Secure Communication Module

Management Configuration Center

Data Formatting

Response Mechanism Rule Matching Tree Generation Module

Payload-adapt Detection Analysis

Payload-adapt Rule-matching Tree

Fig.2. Payload-adapt Analysis Module

Complicated Intrusion Rule Library Based on Petri Net

Complicated Intrusion Analyzer Based on Petri Net

Alarm Response Module

Storage Center

Control Center

Secure Communication Module

Management Configuration Center

Rule Matching Tree Generation Module: According to the sample traffics and rule sets of real acquisition, on the basis of protocol analysis, this module generates a rule matching tree by the improved decision tree method. For each event or the package which need to be detected, make the number of rule sets detected to be fewest, and achieve the goal of improving the detection speed as soon as possible. Payload-adapt Rule-matching Tree: This is a data structure for saving the new rules set. It is generated by Rule Matching Tree Generation Module and also is the analysis base of the Payload-adapt Detection Analysis Module. Payload-adapt Detection Analysis Module: The module is the core of Payload-adapt Analysis Module, which is responsible for the analysis of the data collected from data acquisition module. According to the rule matching trees adapt to load characteristic generated by rule matching trees, it determine the rule for sets each event or the package which can be detected, and then match rapidly to each event or the package. By using the misuse detection technology to detect data packets quickly, find the attack packets of known attack types. Send the detected attack information to the response mechanism module, after the data formatted treatment, and then send to the collaborative analysis and control center for the further processing. Thus it reduces the mistake and failure rate as soon as possible, and improves the accuracy of detection. Payload-adapt Intrusion Detection Method

Payload-adapt Analysis

Fig.3. Framework of Collaborative Analysis and Control Centre

By analyzing current detection method, we can draw the conclusion that network environment change and rule classification asymmetry would seriously affect the IDS detection speed, even we adopt the current popular protocol analysis technology. For higher performance, we argue IDS should adapt the traffic characteristics and rule characteristics. Like the protocol analysis method, we pre-treat the data received through the value of protocol fields. On the basis

of whether the values of protocol fields match to the packets or not, the sets of the applicable rules are determined. The difference is that our approach is to use the characteristics of traffics and rules to classify rules. Because of the limit of the memory, we can’t choose all protocol characteristics, and can’t maintain all values for every protocol field. Therefore, we build a mathematical model to solve this problem. Definition 1: Rk refers to a specific rule in rules set R .

Rk = ( F1 = V1r1 ∧ F2 = V2r2 ∧ L ∧ Fn = Vnrn ) , in which n refers to the number of field with available rules; Fi refers to the i th field of the rule, That is

i ∈ [1K n] ; Vi j refers to the j th value of the i th field of the rule; K refers to the rules’ number of the rules set, k ∈ K . Definition 2: P is the set of the subset of the rules set. That is P = {P1 , P2 , L PH } , in which Pi is a subset of H

the rules set R , and

P = ∑ Pi in which i ∈ [1K H ] . i =1

Here we say P is a category of the rules set. Definition 3: Num( Pi ) refers to the number of the

i th rules subset Pi in the example traffic S , in which S is a set of some data packets who satisfy the

packets, and refers to a sample of the actual network traffic. Definition 4: Bk is the time used to detect that whether the specific data packets satisfy the rule Rk in the rules set. Definition 5: T ( Pi ) refers to the time used to detect all data packets satisfied by the i th rules subset Pi of the category P in the rules set R in traffic S . Formula

1:

T ( Pi ) = Num( Pi ) ×

∑

k∈K ∧ Rk ∈Pi

Bk , in

which Num( Pi ) reflects the affection of the load to detecting

efficiency

and

∑

k∈K ∧ Rk ∈Pi

Bk reflects the

affection of the rules to the detecting efficiency. Definition 6: M ( Pi ) refers to the memory used to save the rules of the

i th rules subset Pi of the category P .

So for an actual traffic S we may present the relationship of categories, detection efficiency and the memory by using the formula as follows. Suppose that H refers to

the number of categories of all rules and Pi refers to the

i th category of the rules, i ∈ [1K H ] . Formula 2: Suppose T refers to the time used to detect the example traffic S in the condition of category P . Then H

T = ∑ T ( Pi ) . i =1

Formula 3: M refers to the memory used to save all detection rules set R in the condition of category P . Then H

M = ∑ M ( Pi ) . i =1

Theoretically, if the memory is unlimited, the best project is that making T minimum. But actually it’s impossible. *

We have to find out the category P satisfied T is minimum by comparing the category set P composed by different rule fields. That is the project we need. Formula 2 and 3 give us a judgment method of comparing the advantages and the disadvantages of different projects. Induction of the traffic gives us a new illumination. The problem proposed before can be solved theoretically. The following is the generation algorithms payload-adapt rule matching tree: we proposed.

of

We suppose as follows: the memory saving the data is fixed; the time is fixed, which is used to detect whether a data packet matches the rule Rk in the rules set;

N R refers to the number of the rules in rules set R , and NT refers to the number of the data packets in example traffic S , and then we definite that E p refers to the present of the rule number detected by each packet averagely in the whole rules number after taking P category, that is E p = N p /( N R + NT ) . Generate_Rule_tree produces a rule tree through the assigned rule sets and traffic sets. Input: rule sets, rules; traffic sets, traffics; respectively presented by the corresponding discrete attribute values; the attribute list composed of the candidate rule field, attribute list. Output: a rule tree. Algorithms as follows: Build node N; IF attribute_list is empty THEN Back to N as the leaf node; Mark rules for the general category; // recursive end Calculate the Gain(P) of each attribute in attribute_list; IF the attribute which is meet to the condition exists test_attribute THEN Mark node N for test_attribute; ELSE

Back to N as the leaf node, mark rules for the general category; // recursive end FOR the value vi in each test_attribute //demarcate rules Build a branch node for the test_attribute = vi as a condition over the node N; Rnum = the meet condition rule number, and conduct the rules; Tnum = the meet condition packet number, and conduct the traffics; IF Tnum == 0 THEN Back to node N as the leaf node, into the next cycle; Assume Ri to be the rule sets of test_attribute = vi in rules; // a division Assume Di to be the traffic sets of test_attribute = vi in datas; // traffic division Generate_Rule_tree (Ri, Di, attribute_listtest_ attribute); Next; Cancel the mark of node N;

4. USING PETRI NET TO LOWER FALSE POSITIVES RATE AND FALSE NEGATIVES RATE FURTHER According to the intermediate detection results from each sub detection center reports, the complex intrusion analyzer based on Petri nets takes full use of the complex attack model represented by Petri nets model to carry on alarm information fusion, comprehensive analysis and reduce the mistake and failure further. Figure 4 describes the detection process.

In figure 4, the suspicious behavior library is a tree structure. The root node points to the rules which come from the complex intrusion rule library waiting for analyzing (added dynamically by the pattern matching device based on Petri nets). It presents the referring rules tracked by suspicious behaviors. The lower nodes record the instances satisfying this rule. They represent the being tracked and specific suspicious behaviors currently, containing multiple sub nodes of suspicious behaviors. Those who are suspicious behaviors needed to be further proved, have done the partial correct match to the Petri nets rules corresponded by each attack behavior. The suspicious behavior judgment device carries on the further match to every rule instance which is in process in the suspicious behavior library by using the bottom suspicious information as the input. If the match is satisfied, it refers to the reliability of attack behaviors is increasing. If it's judged to be the intrusion, alarm to the manager through the alarm response module. Otherwise, send to the s to carry on processing. According to the suspicious information needed to be judged which is sent by the suspicious behavior judgment device, the pattern matching device based on Petri net extracts satisfied rules from the complex intrusion rule library based on Petri nets to carry on the comparison with the rules (2nd level nodes) of suspicious behavior library. If they are matched, create the specific instance to the corresponding node. Otherwise create the rules and its first new instance under the nodes for the later matching operation. 5. EXPERIMENTAL RESULTS AND ANALYSIS

Complex Intrusion Rule Library Based on Petri Net

Pattern Matching Device Based on Petri Net

Suspicious Behavior Library

Alarm Response Module

Suspicious Behavior Judgment Device

Bottom Suspicious Information

Fig.4. Analysis process of Complex Intrusion Analyzer based on Petri net

To prove our solutions are feasible and effective, we developed two components on the basis of Snort to realize the payload-adapt intrusion detection method. The first component is the rule matching tree generation module carried on by using decision tree classification method, which generates the payload-adapt rule matching tree according to the actual network traffic S and the available rules sets R. The second component locates the available examination rule sets of each event or packet to take the rapid rule match to them by using payload-adapt rule matching tree and the search process of the decision tree. We collect datum of the three periods and respectively use Snort [11] and our improved Snort (PASnort for short) to carry on experiments. The data obtained from experiments are recorded in figure 5. In figure 5, the long strips refer to the detection efficiency P, which presents with the amount of disposing packets per second. The start working time of detecting is represented with Tstart. The end time of detecting is represented with Tend. Num refers to the times of the detection module being called, that is the amount of packets. Then, P = Num / (Tend-Start).

Data 1 Data 2 Data 3 0

20000

40000

PASnort

60000

80000

Snort

Fig.5. Detection Efficiency The experiment indicates (Figure 5): When the features of simple packets are similar to the characteristics of traffics detected, the detection rate of our approach increased by nearly 20% compared to the original method. When the features of simple packets and the characteristics of traffics detected have few differences, the detection rate also increased but only a little. However, it isn’t lower than the detection rate of Snort, which fully proves our solution is effective. Meanwhile, we applied our framework to the Web-Based Teaching System developed by ourselves. For at the high level we use Petri net to establish rule library, we can reduce the false positives rate and the false negatives rate of the alarm information at lower level, increase the reliability of detection at high level and the intrusion detection accurate by detecting complicated attacks and correlated attacks through the information integration and alarm correlation technology. On the other hand, this can also reduce the burden of network administrators.

6. CONCLUSIONS In this paper, a payload-adapt IDS framework in IPv6/4 environments is established. By using Payload-adapt Intrusion Detection Method proposed in the paper, the Payload-adapt Analysis Module of the framework is realized. It can be utilized to solve the high packet-loss problem. In addition, the Collaborative analysis and control center uses Petri nets to model complex attacks to generate rules to improve the accuracy of alert. The experiment proves that our solutions are feasible and effective to resolve the problems of high false positives rate and high false negatives rate that current IDS faced.

7. REFERENCES [1] Marcus Goncalves, Kitty Niles, IPv6 networks, New York: McGraw-Hill, 1998. [2] Tang Qian, Zhang Dafang, Huang Kun, Using Gain-ratio Based Decision Trees to Improve Intrusion Detection, Computer Engineering, 2006, 32(7): 146-148.

[3] Ren Xiaofeng, Dong Zhanqiu, Research and Implementation on Increasing Speed of Rule-matching in Snort, Computer Applications, 2003, 23(4): 59-61. [4] Wolfgang Reisig, Petri nets, Berlin; Springer-Verlag, 1985. [5] D.E.Denning, “An intrusion-detection model”, IEEE Transactions on Software Engineering, Vol. 13, No. 2, 1987, pp. 222-232. [6] J.Frank, “Artificial Intelligence and Intrusion Detection: Current and Future Directions”, Proceeding of the 17th National Computer Security Conference, 1994. [7] Richard P. Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman, “Evaluating Intrusion Detection Systems: the 1998 DARPAOff-Line Intrusion Detection Evaluation”, Proceedings of the 2000 DARPA Information1 Survivability Conference and Exposition(DISCEX), Vol. 1. [8] J.P.Anderson, Computer Security Threat Monitoring and Surveillance, Technical report, James P Anderson Co. Fort Washington, Pennsylvania, 1980. [9] Heberlein, L. et al., “A Network Security Monitor”， Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, 1990, pp. 296-303. [10] Roy A.Maxion, Kymie M.C.Tan, “Benchmarking Anomaly-Based Detection Systems”, International Conference on Dependable Systems and Networks (DSN 2000), 2000. [11] Qi Jiandong, Tao Lan, Sun Zongcan, Dissecting Snort, tool for intrusion detection, Computer Engineering and Design, 2004 .1, pp. 36-39.