Analysis of Snort and Bayesian Network

Intrusion Detection System

Analysis of Snort and Bayesian network

Sridevi S Taradi

Department of Information Technology
Vidyalankar Polytechnic,wadala

Abstract- Information is priceless and its security therefore becomes an important area of concern. Attacks on information system makes it vulnerable to theft and causes loss of confidential data. Intrusion detection systems play a vital role in combatting attackers and offer additional security measures for these environments by investigating configurations, logs, network traffic, and user actions to identify typical attack behavior. IDS protect a system from attack, misuse, and compromise. It can also monitor network activity.

I.  INTRODUCTION

The visibility to detect the rapid growth of Internet attacks becomes an important issue in network security. Intrusion detection system (IDS) acts as necessary complement to firewall for monitoring packets on the computer network, performing analysis and incident-responses to the suspicious traffic. Network traffic monitoring and measurement is increasingly regarded as an essential function for understanding and improving the performance and security of our cyber infrastructure.

Also, the decreasing price for VoIP communication boosts result massive spread of Spam over Internet Telephony (SPIT) . Thus, it is necessary to develope appropriate countermeasures.

Authenticity is necessary for detecting and avoiding SPAM over Internet Telephony (SPIT). Only if the identity of a caller can be verified reliably, a spitter can be exposed and appropriate countermeasures can be taken.

What is the Intrusion Detection?

"Any action that is not legally allowed for a user to take towards an information system is called intrusion and intrusion detection is a process of detecting and tracing inappropriate, and incorrect, or anomalous activity targeted at computing and networking resources".

Intrusion detection provides the following:

·  Monitoring and analysis of user and system activity

·  Auditing of system configurations and vulnerabilities

·  Assessing the integrity of critical system and data files

·  Statistical analysis of activity patterns based on the matching to known attacks

·  Abnormal activity analysis

Issues and Challenges in the IDS

An intrusion detection system should recognize a substantial percentage of intrusion while maintain the false alarm rate at acceptable level. False positive means when there is no intrusion and the IDS detect intrusion in the event. False negative when there is an intrusion in the events and the IDS does not detect it. It is very difficult to keep the standard of the high rate of detections with low rate of false alarms.

TABLE I

ID Analysis Methods

Signature based / Anamoly based
Involves searching network traffic for packet sequences known to be malicious / Involves matching pattern with past models , attack styles etc
Very few false positives / Huge number of false positives
Cannot detect Novel attacks / Detect any novel attacks
Easy to design / Difficult to design
Accurate Alerts / Large number of false alerts
Do not work against attack patterns created by a human or a worm / Difficult to detect attacks for which a signature does not exist
Commonly based on regular expressions and string matching. / Pattern matching

II.  DESCRIPTION

A.  Snort- Signature based IDS

Snortis afreeandopen sourcenetwork intrusion prevention system(NIPS) andnetwork intrusion detection system(NIDS),created byMartin Roeschin 1998.

Snort's open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis andpacket loggingonInternet Protocol(IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes orattacks, including, but not limited to,operating system fingerprintingattempts,common gateway interface,buffer overflows,server message blockprobes, and stealthport scans.

Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine.

Why Snort?

Snort focuses on performance and simplicity which makes it best choice to be run on any operating system. Snort is one of the best known lightweight IDS. Snort can easily be deployed on any node of a network, with minimal disruption to operations.

TABLE II

Comparison of Bro and Snort

Parameter / Bro / Snort
Operating System compatibility / Unix / Any
Installation /deployment / difficult / Easy
Contextual signatures / Yes / no
Large user community / No / yes
Configuration GUI / no / yes
Analysis GUI / a few / a lot

Diagramatic representation

Figure 1: Snort

1.1 Packet Decoder

The packet decoder takes packets from different types of network interfaces and prepares the packets to be preprocessed or to be sent to the detection engine. The interfaces may be Ethernet, SLIP, PPP and so on.

1.2 Preprocessors and Detection Engine

Preprocessors are components or plug-ins that can be used with Snort to arrange or modify data packets before the detection engine does some operation to find out if the packet is being used by an intruder. Hackers use different techniques to fool an IDS in different ways. For example, you may have created a rule to find a signature “scripts/iisadmin” in HTTP packets. If you are matching this string exactly, you can easily be fooled by a hacker who makes slight modifications to this string. For example:

• “scripts/./iisadmin”

• “scripts/examples/../iisadmin”

• “scripts\iisadmin”

Its responsibility is to detect if any intrusion activity exists in a packet. The detection engine employs Snort rules for this purpose. The rules are read into internal data structures or chains where they are matched against all packets. If a packet matches any rule, appropriate action is taken; otherwise the packet is dropped. Appropriate actions may be logging the packet for generating alerts.

1.3 Logging and Alerting System

Logs are kept in simple text files, tcpdump-style files or some other form. All of the log files are stored under /var/log/snort folder by default.

Logging Snort Data in Text Format

The following command logs all Snort data in /var/log/snort

directory in addition to displaying it on the console.

snort -dev -l /var/log/snort

Logging Snort in Binary Format

On high-speed networks, logging data in ASCII format in many different files may cause high overhead. Snort allows you to log all data in a binary file in tcpdump

A typical command for this type of log is :

snort -l /tmp -b

Snort will create a file in /tmp directory.

Alert is displayed as following:-

alert tcp any any -> 10.1.1.0/24 80 (content: "/cgi-bin/phf"; msg: "PHF

probe!";)

1.4 Output Modules

Depending on the configuration, output modules can do the following:

• Simply logging to /var/log/snort/alerts file or some other file

III.  IMPLEMENTATION

Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection.

1)  In sniffer mode, the program will read network packets and display them on the console.

Figure 2: Packet sniffing by Snort

2)  In packet logger mode, the program will log packets to the disk.

Figure 3: Log record

3)  In intrusion detection mode, the program will monitor network traffic and analyze it against a ruleset defined by the user. The program will then perform a specific action based on what has been identified.

Figure 4: configuration

Snort has the following option fields available:

1.content: Search the packet payload for the a specified pattern.

2. flags: Test the TCP flags for specified settings.

3. ttl: Check the IP header's time-to-live (TTL) field.

alert tcp any any -> 10.1.1.0/24 80 (content: "/cgi-bin/phf"; msg: "PHF

probe!";)

alert tcp any any -> 10.1.1.0/24 6000:6010 (msg: "X traffic";)

4. itype: Match on the ICMP type field.

5. icode: Match on the ICMP code field.

6. minfrag: Set the threshold value for IP fragment size.

7. id: Test the IP header for the specified value.

8. ack: Look for a specific TCP header acknowledgement number.

9. seq: Log for a specific TCP header sequence number.

10. logto: Log packets matching the rule to the specified filename.

11. dsize: Match on the size of the packet payload.

12. offset: Modifier for the content option, sets the offset into the packet payload to begin the content search.

13. depth: Modifier for the content option, sets the number of bytes from the start position to search through.

14. msg: Sets the message to be sent when a packet generates an event.

These options may be combined

B.  Behavioural/Anamoly matching

Bayesian methods to data being gathered from distributed IDSs in order to improve the ability to detect distributed attacks against infrastructure and preliminary phases of distributed denial of service attacks as early as possible/ a powerful new set of modeling methods has emerged that combine graph theory with Bayesian probability, enabling the construction of highly complex models involving large numbers of interrelated hypotheses.

The Bayesian network

Bayesian networks are well suited for anomaly detection, because they can handle high dimensional data, which humans find difficult to interpret.

A Bayesian network encodes a probabilistic model over a set of related variables by using a directed graph to represent qualitative relationships and local probability distributions to represent quantitative information about the strength of the relationships. Bayesian networks can represent both causal and statistical dependency relationships.

IV.  OBSERVATIONS

A set of random variables can represent uncertain hypotheses. The random variable GlobalIntention represents whether a user is normal or a security threat.

Figure 5: Bayesian Network

The probability that a user is a threat is influenced by the value of the Motive random variable. Although users are likely to be normal regardless of motive, users with personal, financial or political motives are more likely to be threats. The remaining random variables represent the user’s assigned task.

Bayesian spam filtering is the process of using a naïve Bayes classifier to identify spam email. It is based on the principle that most events are dependent and that the probability of an event occurring in the future can be inferred from the previous occurrences of that event. This same technique can be used to classify spam.

Table II

Comparison of Bayesian and Spam Butcher’s spam filters

Concept / Bayesian spam filter / SpamButcher's anti-spam filtering
Idea / Uses mathematical observations / Uses fuzzy logic
Data points for
Spam filtering / Is based on probability theory, uses collected data points / Both machine collected data and human selected data points

Bayesianemail filterstake advantage ofBayes' theorem. Bayes' theorem is used several times in the context of spam:

·  a first time, to compute the probability that the message is spam, knowing that a given word appears in this message;

§  a second time, to compute the probability that the message is spam, taking into consideration all of its words (or a relevant subset of them);

§  sometimes a third time, to deal with rare words.

V.  FORMULATION

Computing the probability that a message containing a given word is spam

Let's suppose the suspected message contains the word "replica". Most people who are used to receiving e-mail know that this message is likely to be spam, more precisely a proposal to sell counterfeit copies of well-known brands of watches. The spam detection software, however, does not "know" such facts, all it can do is compute probabilities.

The formula used by the software to determine that is derived fromBayes' theorem

Pr⁡(S|W)=PrWS∙ PrSPrWS∙Pr(S)+Pr⁡(WH ∙PrH)

where:

§  PrSWis the probability that a message is a spam, knowing that the word "replica" is in it;

§  PrSis the overall probability that any given message is spam;

§  PrWS is the probability that the word "replica" appears in spam messages;

§  PrHis the overall probability that any given message is not spam (is "ham");

§  Pr⁡(W|H) is the probability that the word "replica" appears in ham messages.

§  Recent statistics show that the current probability of any message being spam is 80%, at the very least:

§  PrS=0.8 , PrH=0.2

·  However, most bayesian spam detection software makes the assumption that there is no a priori reason for any incoming message to be spam rather than ham, and considers both cases to have equal probabilities of 50%.

·  PrS=0.5 , PrH=0.5

§  The filters that use this hypothesis are said to be "not biased", meaning that they have no prejudice regarding the incoming email. This assumption permits simplifying the general formula to:

Pr⁡(S|W)=PrWSPrWS+Pr⁡(WH)

§  This quantity is called "spamicity" of the word "replica", and can be computed. The number Pr⁡(W|S) used in this formula is approximated to the frequency of messages containing "replica" in the messages identified as spam during the learning phase.

VI.  ENHANCEMENET

Spatial analysis techniques can be used along with Intrusion Detection System for the graphical modeling of packet flow which would help analysis the source of attack and possibly likely targets.

Spatial analysisorspatial statisticsincludes any of the formaltechniqueswhich study entities using theirtopological,geometric, orgeographicproperties. However, in spatial analysis we are concerned with specific types of mathematical spaces, namely, geographic space. In geographic space, the observations correspond to locations in a spatial measurement framework that captures their proximity in the real world.

Spatialautocorrelationstatistics measure and analyze the degree of dependency among observations in a geographic space.

Spatialautocorrelationstatistics measure and analyze the degree of dependency among observations in a geographic space.

Supported Platforms

Snort is supported on a number of hardware platforms and operating systems. Currently

Snort is available for the following operating systems:

• Linux

• OpenBSD

• FreeBSD

• NetBSD

• Solaris (both Sparc and i386)

• HP-UX

• AIX

• IRIX

• MacOS

• Windows

VII. CONCLUSION

An intrusion into an information system is a malicious activity that compromises its security (e.g. integrity, confidentiality, and availability) through a series of events. For example intrusion may compromise the integrity and confidentiality of an information system by gaining root level access and then modifying, altering the information to affect or cause damage to the individual or system or the organisation as a whole. The information may be used maliciously to disrupt the smooth working of the system and introduce interrupts like denial of service. Intrusion Detection System plays a vital role in protecting the system from such intrusions.

REFERENCES

[1]  www.webopedia.com/TERM/I/intrusion_detection_system.htm

[2]  http://netsecurity.about.com/cs/hackertools/a/aa030504.html

[3]  https://www.trustwave.com/intrusion-detection-system.php

[4]  http://www.eng.tau.ac.il/~bengal/BN.pdf

[5]  http://www.moreofit.com/similar-to/www.snort.org/Top_10_Sites_Like_Snort/

[6]  http://ptgmedia.pearsoncmg.com/imprint_downloads/informit/perens/0131407333.pdf