Back   |  Pr Home  |  Current projects |  Prev. projects  |  Background research   |  [Bill's Home]

Current projects

   

Detection and Immunisation of Network-based Security Threats
First step in building/designing/researching IDS and network anomaly systems is the research of data gathering techniques from various sources such as Intrusion Detection systems.

Problems involved with regards to data management, collection and analysis.

How do we collect the data? Which source of data is the most useful? Specifically, where on the network is the most effective place to monitor? Should the hosts have an IDS as well as network based IDS. Also, what type of traffic needs to be analysed? Network traffic vs application data. It certainly looks like a range of different levels of the network need to be monitored. With modern systems, a lot of data is generated and often overwhelms the human and computer systems set up to sift through them.

- ...typically overwhelming operators with system messages and other low-level data. (BASS, T, 2000)

- False alarms from ID systems are problematic, persistent, and preponderant (BASS, T, 2000)

For example (SEKAR et al) implements a high performance network intrusion detection system which works on network. It suggests that it will be able to work with network speeds as high as 500mbps. It uses a form of pattern matching which closely resembles regular expressions. This approach is meant to cut down on the development time for newly discovered attacks. Disadvantages are mainly that of being unable to quickly respond to newly discovered threats.

(KRÜGEL et al) investigates an application based IDS which builds a model of behaviour based on service specific traffic. This system extends the model which only includes TCP packet information and considers the payload as well. The model proposed by KRÜGEL splits the traffic into it’s main components: HTTP, DNS, SMTP, FTP. Unfortunately, this type of model depends on an initial training period which once again is prone to errors once large variations within network traffic occur.

Once the data has been collected, how do we make sense of it? Is it used as it comes in? Is it stored later on and used for data mining?

The application of data fusion in technical systems requires mathematical and heuristic techniques from fields such as statistics, AI, operations research, digital signal processing, pattern recognition, cognitive psychology, information theory, and decision theory (BASS, T, 2000)

Huge volumes of data and false positives are a problem that need to be addressed. Further research into the filed of neural networks will need to be undertaken.

ID systems that examine operating system audit trails, or network traffic and other similar detection systems, have not matured to a level where sophisticated attacks are reliably detected (BASS, T, 2000)

… Network management and ID systems must operate in a uniform and cooperative model, fusing data into information and knowledge, so network operators can make informed decisions about the health and real-time security of their corner of cyber-space (BASS, T, 2000)

In a nutshell, the basic approaches to intrusion detection today may be summarized as known pattern templates, threatening behavious templates, traffic analysis, statistical-anomaly detection, and state-based detection (BASS, T, 2000)

There are certainly a number of areas to investigate with regards to active network management. So far the SNMP protocol framework has been looked at. A more comprehensive compare/contrast of these network management protocols would be recommended.

Proactive network management implies setting up network devices to automatically detect problems and correct them without the network manager’s intervention, allowing the networks to ‘heal’ themselves. (CHIU, T. 1998)

Platforms do not provide much in the way of proactive network management. Platforms like HP open-view and SunNet manager provide a method of monitoring existing traffic patterns and devices in the network, but generally cannot give much help in preventing problems from occurring. (CHIU, T. 1998)

In addition, proactive network management requires the user to capture data about network behaviours, existing (CHIU, T. 1998)

If we were to consider a more holistic approach to network defence, then (YEGNESWARAN et al) suggest based on research that a list of common offenders IP addresses could be compiled using the data from router logs collect from many organisations:

Such attacks are fairly common, and that blacklisting the worst offenders would be an affective mechanism of defending against non-port 80 (YEGNESWARAN et al, 2003)

Once again, it comes down to the amount of processing of data which needs to be done and the way we process it.

Jamie Graves.


BASS, T, 2000. Intrusion Detection Systems and Multisensor Data Fusion Communications of the ACM archive, Volume 43 , Issue 4 Pages: 99 - 105

CHIU, T. 1998. Getting Proactive Network Management From Reactive Network Management Tools. International Journal of Network Management archive. Volume 8 , Issue 1 Pages: 12 - 17

YEGNESWARAN V, BARFORD P, ULLRICH J, June 2003. Internet Intrusions, Global Characteristics and Prevalence. ACM SIGMETRICS Performance Evaluation Review , Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, Volume 31 Issue 1

SEKAR R, GUANG., Y., VERMA S., SHANBHAG T., November 1999. A high-performance network intrusion detection system. Proceedings of the 6th ACM conference on Computer and communications security.

KRÜGEL C, TOTH T, KIRDA E, March 2002. Service specific anomaly detection for network intrusion detection. Proceedings of the 2002 ACM symposium on Applied computing