Intrusion Prevention System Alexis V. Pantola

Aileen N. Choa

Antonio C. Ipili

De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402

De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402

De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402

[email protected]

[email protected]

[email protected]

Kent Derrick C. Tan

Anthony O. Yan

De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402

De La Salle University - PSI 2401 Taft Ave. Manila, Philppines, 1004 +632 524 0402

[email protected]

[email protected]

ABSTRACT Many institutions greatly depend on the Internet. This in turn opens up opportunit ies for hackers to infiltrate their network. Firewalls and Intrusion Detection Systems (IDS) are the most prevalent forms of security developed for the network. Firewall permits or denies the entry of a network packet based on its port number or IP address. On the other hand, IDS acts as a security camera that watches over incoming packets and reports any malevolent activities that are present in a network. However, IDS is a passive device. It only reports malicious activities and necessary actions must be done manually by the network administrator. With all these limitations, a new breed of security measure must be realized; thus, the emergence of the Network Intrusion Prevention System (NIPS). NIPS combines the capabilities of the technologies mentioned above and use them together by scanning incoming packets for malicious contents. A packet handler module and an intrusion prevention algorithm are developed to capture incoming packets, decode their contents, and drop malicious ones. Log sheets are generated containing a list of anomalous packets that attempted to penetrate a network system.

Categories and Subject Descriptors C.2.0 General - Security and Protection. C.2.1. Network Architecture and Design - Network communications.

General Terms Security, Management.

Keywords Network security, network management, network infrastructure.

1.

INTRODUCTION

In the past years, people and companies have relied much on using the Internet as their primal source of data. Its security, however, is

always challenged; hence, intrusions are able to penetrate systems, destroying millions of records leading to financial deficiencies and productivity losses. The first solution proposed is using a firewall—blocking invalid IP addresses from entering a network or allowing access only to limited ports for certain IP addresses. This has proven its worth in preventing various intrusion types. However, other forms of attacks such as Reconnaissance, Denial of Service (DoS) attacks, and Protocol Anomalies are still able to infiltrate a network. The second solution offered is using an Intrusion Detection System (IDS) which serves as a video camera inspecting network traffics and logging them onto databases and at times even sending off alarms to warn the network administrator of attacks. This solution has an advantage: it is deployed offline; hence, no network interruptions are caused. Its inability, however, to stop intrusions—detecting and not preventing—makes it seem useless at times, without needing to mention the lengthy period to respond to attacks. A new solution needs to be realized and this includes being able to block malicious packets that penetrate a system.

2.

SYSTEM ARCHITECTURE

the particular traffic needed, and stores the data in a buffer. The contents of network traffic are revealed in the Decode block and afterwards, temporarily save the contents of the packet in another data buffer.

2.2

Packet Scanne r

Figure 2-3 Packet Scanner Block Diagram

Figure 2-1 NIPS Architecture Design The NIPS consists of four modules as shown in Figure 2-1. These are the Packet Sniffer, Packet Scanner, Event Log and Packet Forwarder. Through the Packet Sniffer, an NIPS sniffs network packets and scans their contents using the Packet Scanner. All the packets detected to be malicious are dropped and necessary data entries are made through the Event Log. These are comprised of the source and destination IP address of the attacker, the name of the attack, and date and time the attack occurred. After removing all malicious packets, the legitimate packets are forwarded to their destination through the Packet Forwarder. Internally, there are two sets of Packet Sniffer and Packet Forwarder since packets may come from and go to the external and internal networks1.

2.1

Packet Sniffer

As shown in Figure 2-3, this module has three components namely Port Scan, Scanning Algorithm—representing the Inverse Exclusion Filter, Protocol Validation Filter, Signature Pattern Matching Filter—and the Response Engine. Port Scan may be turned on or off depending on the presence of a Load Balancers and the preference of the network administrator. The Scanning Algorithm encompasses three aspects. In the Inverse Exclusion Filter, “all requests except those that are legal for a given destination are dropped.” [2] Attacks that are detected include address spoofing and IP address filter. In the Protocol Validation Filter, “illegal request methods are dropped” [2] based on the required protocols. The attacks identified are LanD and Smurf. In the Signature Pattern Matching Filter, attacks are detected based on comparisons of packet contents with predefined signatures. Its list of detected intrusions includes HTTP and ICMP attacks. The Response Engine takes care of the packets that are detected by the filters to be malicious thus rejecting it and sending the malicious packet to the Event Log module for logging.

Figure 2-2 Packet Sniffer Block Diagram

2.2.1 This module captures packet passing through the network. This module runs in promiscuous mode where all packets are captured regardless of their destination MAC (Media Access Control) addresses. As shown in Figure 2-2, this module has three components: capture driver, buffer and decode. The capture driver captures the network traffic using an interface card, filters it for

1

An NIPS is not necessarily directly connected to an internal and/or external networks. Instead, NIPS load balancers may be used to distribute the work to several NIPS. This paper does not discuss the use of NIPS load balancers, however in some diagrams, load balancers replace the internal and external networks.

Inverse Exclusion

Spoofing of IP address (limited) – Detecting spoofed IP addresses are done in both directions (i.e., from internal to external and viceversa). If a computer in an internal subnet is to send a packet, it is only identified as an attack if the source IP address used is not found inside the network. This, however, does not prove effective if one of the internal networks assumed the IP address of another internal network. If the external subnet is to send a packet, it is considered an attack only if the IP address it spoofed is found inside the internal network, otherwise, the packet is allowed to pass through. This is done by comparing the source IP addresses to a list of IP addresses considered to be illegal for the said network. Unwanted IP Address – Packets with unwanted IP addresses are verified using an access control list (ACL) where a list of unwanted source and destination addresses previously specified is

used as a comparison for incoming and outgoing IP addresses. If an address matches an entry in the list, the packets they are sending are automatically dropped.

2.2.2

Protocol Validation

LanD – This attack is detected by making a comparison between the source and destination IP addresses. If they are found to be similar, they are immediately dropped by the system. Smurf – This attack is detected by checking the destination address of a packet. If the destination address is considered as a broadcast address, it is immediately discarded.

2.2.3

Signature Pattern Matching

HTTP – Upon receiving an HTTP packet, the NIPS does a comparison between the contents of a packet and its file of predefined signatures. ICMP – There are three types of ICMP attacks being considered and checked. These are ICMP Max Length Exceeded Check, IP Options Check, and Illegal Header Value Check. The first type checks for code or fields of ICMP Headers and compare them to a list of correct information to determine if they are valid or not. IP Options Check checks whether there are IP Options mentioned in the packet. The last type looks for anomalous data in the packet and if found, the packet is dropped.

2.3

Packet Forwarder

Figure 2-4 Packet Forwarder Block Diagram After the packet is scanned and is considered to be attack-free, this module (see Figure 2-4) allows the said packet to reach its destination. The Packet Forwarder is also responsible in sending unique Keep Alive packets to a Load Balancer if existing. This Keep Alive packets are messages that are sent to acknowledge the presence and connection of the NIPS to the load balancer.

2.4

Event Log

This module records events whenever the system drops a packet due to malicious content. These logs are recorded for review of the administrator and this contains source IP, destination IP, name, date, and time of the attacks detected.

3.

EXPERIMENTS AND RESULTS

The NIPS is tested using two computers and a machine loaded with the NIPS software (see Figure 3-1). The first computer represents an external network while the second computer acts as the internal network. The machine with the NIPS software is located between the two computers.

Figure 3-1 Experiment Set-up The scanning component of the NIPS is designed to sniff all packets from the source network and check for attacks by comparing the packet to a file of unwanted contents based on HTTP and ICMP samples and dropping all those found to be malevolent. Also, those violating rules as LanD, Smurf, IP Address Filter, and IP Spoofing are blocked as needed. Prior to this, the port scan functionality is used to perform checking on attacks which looks for active ports in the network. Afterwards, its system log creates a database of all these discovered attacks. The external network (source) sends packets (valid and malicious ones) using a packet generator. On the other hand, the internal network executes a packet sniffer that checks the number of packets received. The Windows Protocol Stack of the machine with the NIPS software is disabled to allow the system to act as a wire that does not interfere with the communication between the source and receiving computers, except to transport these data. Also, the first two sections of this experiment are done in the Monitor Mode of the NIPS such that all detected attacks are not dropped. The last three are tested in the Activate Mode; hence, malicious packets detected are dropped. Both modes list down all discovered attacks in the log sheet. Different attacks are sent from the external network. Five trials are performed for each attack. Below is the result of the experiment. Table 3-1 Result of Experiment Attacks:

1 st run

2 nd run

3 rd run

4 th run

5 th run

Telnet: Root Login

ü

ü

ü

ü

ü

Telnet: passwd file look-up

ü

ü

ü

ü

ü

FTP: Root Login

û

ü

û

ü

ü

FTP: No Password

ü

ü

ü

ü

ü

Attacks:

1 st run

2 nd run

3 rd run

4 th run

5 th run

FTP: Pass Guest

ü

ü

ü

ü

ü

FTP: etc passwd file look-up

ü

Finger: demo

ü

ü

ü

ü

ü

255 FTP: long password

ü

ü

ü

ü

ü

WEB: DOTDOT

ü

ü

ü

ü

ü

WEB: DOTDOT2

ü

ü

ü

ü

ü

WEB: etc password file look-up

ü

ü

ü

ü

ü

WEB: HTACCES

ü

ü

ü

ü

ü

Finger: search

ü

ü

ü

ü

ü

Finger: root

ü

ü

ü

ü

ü

Finger: bomb

ü

ü

ü

ü

ü

Finger: probe

ü

ü

ü

ü

ü

TFTP: group file look-up

ü

ü

ü

ü

ü

FTP: user-anon

û

ü

û

ü

ü

FTP: user-ftp

û

ü

û

ü

ü

FTP: group file look-up

ü

ü

ü

ü

ü

TFTP: passwd file look-up

ü

ü

ü

ü

ü

LanD

ü

ü

ü

ü

ü

Smurf

ü

ü

ü

ü

ü

IP Address Filter

ü

ü

ü

ü

ü

[2] Attack Mitigator IPS: Configuration and Management

Limited IP Spoofing

ü

ü

ü

ü

ü

[3] Botha, M. Rossouw von Solms, Perry, K., Loubser, E., and

Backdoor Signature – Q ICMP

ü

ü

ü

ü

ü

ICMP Ping Delphi-Piette Win

ü

ü

ü

ü

ü

Attacks: Fin

1 st run

2 nd run

3 rd run

4 th run

5 th run

ü

ü

ü

ü

ü

Legend: ü

-

Attack Detected

û

-

Attack Missed

As seen in the result, all of the attacks are detected except for FTP: Root Login, User-Anonymous, and User-FTP. These may be attributed to the way the system logs attacks. Some attacks are not detected on several accounts because of the order by which the attack signatures are listed. In single-packet attacks, the very first signature it finds in its list that is violated by the packet is the one it records in the Log Sheet. If multiplefragmented packets are sent and the attack signatures are separated, the records made comprises all the violations found per individual fragment sent and after the whole packets are actually received.

4.

CONCLUSION

The Network Intrusion Prevention System is a system that detects and blocks malicious packets from entering and leaving the network. In addition, the system provides an event log that provides a list of attacks discovered by the system. The NIPS module identifies malicious packets by searching through a user-input list of signatures. This signature file, when configured properly, detects HTTP, IP, ICMP, TCP, and UDP attacks. Other functionalities as IP Spoofing, Port Scan detection, IP Address Filter, LanD, and Smurf are also present to protect the internal network from being penetrated.

5.

REFERENCES

[1] Anderson, R.J. (2001). Network Attack and Defense. http://ww.ftp.cl.cam.ac.uk/ftp/users/rja14/c18_anderson.pdf Manual (June 1, 2003) Yamoyany, G. (2002). The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System.

[4] Cisco Systems Inc. (1999). Cisco Secure Intrusion Detection System, Technical Overview ü

ü

ü

ü

[5] Fu, Arvin, et. al. (2003). Linux-Based Intruder Detection [6] Lee, W. Stolfo, S.J. (2001). A Framework for Constructing

System. De La Salle Unversity, Philippines.

ICMP Ping Microsoft Windows

ü

ü

ü

ü

ü

ICMP Ping Pinger Windows

ü

ü

ü

ü

ü

ICMP Address Mask Reply

ü

ü

ü

ü

ü

Syn

ü

ü

ü

ü

ü

Features and Models for Intrusion Detection Systems.

[7] Miller, I. (2001). Protection Against a Variant of the Tiny Fragment Attack.

[8] Ziemba, G. et. al. (1995). Security Consideration for IP Fragment Filtering.

Intrusion Prevention System

Network security, network management, network infrastructure. 1. INTRODUCTION .... NIPS software is disabled to allow the system to act as a wire that does not ...

166KB Sizes 2 Downloads 240 Views

Recommend Documents

wireless intrusion prevention system pdf
wireless intrusion prevention system pdf. wireless intrusion prevention system pdf. Open. Extract. Open with. Sign In. Main menu. Displaying wireless intrusion ...

wireless intrusion prevention system pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. wireless ...

Snort Intrusion Detection and Prevention Toolkit
introduced a vital security-training component, and the Center for. Internet Security's Unix Scoring Tool. Both are used ...... snort with the –dev option to give you the most information: whiplash:~ root# snort -dev. Running in packet dump ......

read Real World Linux Security: Intrusion Prevention ...
Source Technology) Bob Toxen Full eBook ... Detection and Recovery (Open Source Technology) Popular , Real World Linux Security: Intrusion Prevention, ...

Deadlock Detection & Deadlock Prevention of Distributed System
deadlock detection and prevention approaches for distributed database. ... aspects of distributed systems, they are harder to detect, avoid, and prevent.

Colorado Child Fatality Prevention System (CFPS ... - Colorado.gov
Jul 1, 2014 - The State Review Team reviews all deaths of children ages 0-17 certified on death certificates as accidental, ...... Available online at: file:///Users/lindseymyers/Downloads/810654.pdf. ..... Assessment, Treatment and Management Act (E

An Extensive Intrusion Detection System Incorporating ...
tools, methods and resources to help identify, assess and report ... Also, according to www.wikipedia.com, an intrusion detection .... A large electro-magnet is mounted on the door .... intelligent, distributed java agents and data mining to learn ..

Colorado Child Fatality Prevention System (CFPS ... - Colorado.gov
Jul 1, 2014 - Center for Child Death Review. State Review ..... Do not smoke during pregnancy, and do not smoke around ... or drugs either during pregnancy or at the time ... deaths of teens ages 15-19 between 2004 and 2012, there is.

Intelligent Mobile Agent for Intrusion Detection System - CiteSeerX
Therefore, JAVA language will be chosen for its .... the same time, a language and a knowledge base, also called .... php?action view=submenu&option=tree&id.

An Extensive Intrusion Detection System Incorporating ...
(IJCSIS) International Journal of Computer Science and Information Security, Vol.1, No.1, May 2009. 67 ... Computer Science and Mathematics Department, Babcock University Ilishan-Remo, Ogun state, Nigeria. Abstract ..... and a sensor positioned at 90

Revealing Method for the Intrusion Detection System
Detection System. M.Sadiq Ali Khan. Abstract—The goal of an Intrusion Detection is inadequate to detect errors and unusual activity on a network or on the hosts belonging to a local network .... present in both Windows and Unix operating systems. A

signature based intrusion detection system pdf
signature based intrusion detection system pdf. signature based intrusion detection system pdf. Open. Extract. Open with. Sign In. Main menu. Displaying ...

A Scalable Wireless Intrusion Detection System
1, No. 1, May 2009. 53. A Scalable Wireless Intrusion Detection System. Mouhcine .... legitimate station or an access point to access network services.

Feature Selection for Intrusion Detection System using ...
Key words: Security, Intrusion Detection System (IDS), Data mining, Euclidean distance, Machine Learning, Support ... As the growing research on data mining techniques has increased, feature selection has been used as an ..... [4] L. Han, "Using a Dy

Intelligent Mobile Agent for Intrusion Detection System - CiteSeerX
a finished intelligent tool prototype for intrusion detection. Intrusion ..... They receive alerts from correlator agents, analyse ... Monitoring and Surveillance.

Fraud Prevention System GÇô Second Implementation Year.pdf ...
Fraud Prevention System GÇô Second Implementation Year.pdf. Fraud Prevention System GÇô Second Implementation Year.pdf. Open. Extract. Open with.

Bullying Prevention Is Crime Prevention
The Olweus Bullying Prevention Program—First developed in Norway after a number of bullying victims .... article in the Journal of the American Medical.

Prevention Prevention and Detection Detection ...
IJRIT International Journal of Research in Information Technology, Volume 2, Issue 4, April 2014, Pg: 365- 373 ..... Packet passport uses a light weight message authentication code (MAC) such as hash-based message ... IP Spoofing”, International Jo

Dengue Prevention
The 10-Minute. Mozzie Wipe-Out. Exercise. Page 24. 5 Easy Steps. •Change water in vases/ bowls every other day. •Add sand granular insecticide* to water. 1.

a traffic-based intrusion detection system in ipv6 / 4 ...
problems under the large-scale high-speed network .... effort-consuming operation, but check the value of ... is whether the internal network IP addresses, and.

Intrusion Detection: Detecting Masquerade Attacks Using UNIX ...
While the majority of present intrusion detection system approaches can handle ..... In International Conference on Dependable Systems and Networks (DSN-. 02), 2002 ... Sundaram, A. An Introduction to Intrusion Detection [online]. URL:.

MULTI-NODE MONITORING AND INTRUSION DETECTION
attractors, as they are discerned pre-attentively [1], this leads to a very effective monitoring environment. Given our goal is to provide an additional tool to system.