Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables

Uploaded on

Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables

Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. . Framework for vulnerability reduction in real time intrusion detection and prevention systems using SOM based IDS with Netfilter-Iptables Abhinav Kumar X-Scholar, CSE Department Jaypee Institute of Information Technology, Deemed University Noida, India Kunal Chadha X-Scholar, CSE Department Jaypee Institute of Information Technology, Deemed University Noida, India Dr. Krishna Asawa Associate Prof., CSE/IT Department Jaypee Institute of Information Technology, Deemed University Noida, India Abstract— Intrusion detection systems and Intrusion Prevention system are few of the possible ways for handling various types of attacks or intrusions. But the credibility of such systems itself are at stake. None of the existing systems can assure you, your safety. In this paper we propose integration of SOM based intrusion detection system with an intrusion prevention system in the Linux platform for preventing intrusions. We propose a framework for reducing the real time security risks by using Self- organizing maps for intrusion detection accompanied by packet filtering through Netfilter-Iptable to handle the malicious data Packets. Keywords-Intrusion Detection System, SOM. I. INTRODUCTION In today’s world every computer is vulnerable, nothing is secure, but the quest of mankind for that ideal security is still going on. Internet and other ways of communication over network are proving to be boon as well as bane. Boon, when it is providing new dimensions to the business and bane with its harmful effects of intrusions into various networks. Every now & then we witness various types of attacks and keep banging our heads in solving them. As soon as one computer is connected to another computer there is an addition of the possibility that someone using the other computer can access our computer's information, eventually leading to intrusions. Some recent surveys show that cyber attacks targeted to the networks are no longer an unlikely incident that only occurs to few exposed networks of organizations in the limelight. In the struggle to both maintain and implement any given IT security policy, professional IT security management is no longer able to ignore these issues, as attacks are more frequent and devastating; the commercial success is directly related to the safe and reliable operation of their networks [4]. Intrusion is an action to attack the integrity, confidentiality and availability of the system resources [3]. Intrusion detection systems were developed for this cause so that they can detect the malicious data packets traveling on the network in real time. But it has its own limitations such as it can’t do the session based detection which uses multiple packets [2]. In a network based IDS, packets are examined both according to header and payload searching for attack signatures, stored in the IDS Attack signature database, which is the vital part of any IDS software [4] but it becomes inefficient when we talk about blocking those attacks and hence can easily enter into a system. Each of such system is passive in reporting such intrusions and hence do not provide real time security. For handling such situations we propose a real time system that consists of an intrusion detection system based on Self organizing maps, for tracing down the malicious packets along with handling those packets through an intrusion prevention system in the Linux environment. Self-organizing maps is an unsupervised way of learning and has the ability to express topological relationships [22]. The hypothesis is that typical connection characteristics will be emphasized – densely populated regions of the map – whereas atypical activities will appear in sparse regions of the topology [22]. Selection of SOM for intrusion detection is also guided by its robustness with regard to the choice of the number of classes to divide the data into, and is also resistant to the presence of outliers in the training data, which is a desirable property: in the real-world situations, the training data could already contain attacks or anomalies and the algorithm must be capable of learning regular patterns out of a “dirty” training set [25]. Detection will be followed by prevention by using Netfilter-Iptables available in Linux environment [3]. Our system blocks the malicious data packet as soon as they are detected, without any external help, in real time. This paper is organized in various sections in which we discuss the existing intrusion detection system as well as intrusion prevention systems. This is followed by description of framework which consists of training of SOM, usage of netfilter-iptables for packet filtering. (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 229 ISSN 1947-5500
  • 2. . II. EXISTING INTRUSION DETECTION SYSTEM Scientist and researchers had been continuously working for quite a few years for the development of a perfect intrusion detection system (IDS) that can’t be bluffed. Its main job is to monitor, analyze, detect and respond to the intrusions to the information systems [5]. Intrusion detection systems can be broadly categorized into signature based and anomaly detection systems. It may be passive. Signature based IDS look for attack signatures, specific patterns of network traffic or activity in log files that indicate suspicious behavior. Signature-based methods rely on a specific signature of an intrusion which when found triggers an alarm [6, 7]. Now coming on to its sub categories-if an IDS searches for suspicious attack signatures on the traffic flowing on the network then it is named as Network intrusion detection systems (NIDS) and when the same is done by looking at log file of hosts, it is termed as Host intrusion detection systems (HIPS) [4]. HIDS is mostly deployed in e-commerce environments for securing the sensitive data. But it serves the purpose only at the host level. NIDS performs the search for attack signatures at the packet level and as soon as a match is found, an alarm gets raised. The anomaly detection IDS uses statistical techniques to detect penetrations and attacks that begins with the establishment of base-line statistical behavior that what is the normal behavior for this system. After that it captures new statistical data and measure, for finding the deviation from the base line. Once a threshold is exceeded, an alarm is generated [4]. All the above-mentioned IDS’s suffer from few serious limitations. As the attack-trails is increased, it became difficult for network IDS or host IDS to detect the attacks with a limited capability [9]. Some of them are 1) High misinformation rate-is a bulky log and real-time prevention problems that has not yet been solved efficiently [3]. An alarm gets raised even if there was no attack (false positive) and no alarm even if there is as an attack (false negative). Hence there is need for a more exact and effective access control policy [8]. Hence in anomaly detection methods, the base line needs to be adjusted dynamically. 2) Once an IDS gets attacked then it allows the attacker to move freely on the network [8] .3) There is no way by which an IDS can block an attacker, it remains confined only to its primary job of detection. III. INTRUSION PREVENTION SYSTEM Intrusion prevention system (IPS), also known as Network Defense System (NDS), is a system in which firewall is tightly coupled with IDS and it can react to the changes of the network environment [8]. It can be either in the form of software or hardware providing help in blocking of illegal external attack, preventing the loss, destroy and change of internal information from illegitimate users through Internet, and helping internal information to be provided to the outside safely. It is an active protection process to prohibit from incoming of illegal traffics and permit only the authorized traffics [17]. IPS is located in the rear section of router generally and keeps a check on the forwarded packets to the router by analyzing and comparing with filter-rules [16]. In order to have proper security the IPS should fulfill the criterions like- it must be a part of communication link and supported by dedicated hardware, it should actively detect the intrusions in real time and should block those intrusions instantaneously. IV. PROPOSED FRAMEWORK The proposed framework for efficient intrusion detection- protection system is an integration of SOM based intrusion detection system working in coherence with netfilter-iptable based firewall. Self Organizing maps being an unsupervised way of learning are one of the best choices for intrusion detection because it clearly identifies the “odd” phenomenon even in vast amount of observations, which is its core property. Apart from this, it does not require a priori knowledge inputs. The DARPA 1998 Intrusion Detection Evaluation data set consists of about 5 million connections of labeled training data and 2 million connections of test data [23]. This data consists of the values of all 41 features of a data packet along with its labeling into categories of normal, smurf, Neptune etc. These 41 features consist of Basic TCP features, Content features, Time-based traffic features; and Host-based traffic features [24]. Since the proposed work is data driven unsupervised from of learning hence out of those 41 features only 6 having basic TCP information are required, namely-duration of connection, protocol type (tcp/udp), service(HTTP etc.), destination bytes, source bytes and the value of flag. Hence SOM based IDS will have 6 inputs and classifies packets into three clusters-normal, smurf and Neptune, the latter two being the attacks. Once this network gets trained with this data, it is ready for detecting the malicious packets. • Why SOM for intrusion detection? Intrusions done by an unknown program leads to disasters because of their unknown behavior & characteristics. Although we can find out its characteristics but they remain a mystery for us. So we need to classify it into the normal and the abnormal states [11]. Now the problem gets reduced to defining normal and the abnormal states. The architecture of Self organizing maps was developed by Teuvo Kohonen at the University of Helsinki. Self organizing maps are provided only with a series of input patterns and it learns for itself how to group these together so that similar patterns produce similar outputs. It consists of a single layer of cells, all of which are connected to a series of inputs. The inputs themselves are not cells and do no processing - they are just the points where the input signal enters the system [14] as shown in Figure 1. (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 230 ISSN 1947-5500
  • 3. . This network involves unsupervised learning and hence it itself finds, what it needs to learn, without any external help. In the area of intrusion detection systems, the use of unsupervised learning algorithms supports the detection of anomalies [10, 12]. Moreover a learning algorithm can be tuned totally to the specific network it operates into, which is also an important feature to reduce the number of false positives and optimize the detection rate [12]. • Training the SOM The training of self organizing map involves sampling, similarity matching and updating apart from the basic initialization of weights to very small values of the range 0 to 0.01 [13]. The learning process of SOM is as follows: 1) During initialization, the only restriction is that wj (0) be different for j=1,2,…l, where l is the number of neurons in the lattice. 2) It is followed by sampling where a sample vector x (representing activation pattern) is drawn from the input space with certain probability and presented to the lattice. In the proposed work, out of previously mentioned 41 features, the 6 basic TCP information are presented to the network. 3) In similarity matching every node is examined to calculate which one's weights are most like the input vector. The winning node is commonly known as the Best Matching Unit (BMU)/neuron. BMU is calculated by iterating through all the nodes and calculating the Euclidean distance between each node's weight vector and the current input vector. Hence the BMU i(x) at time step n by using the minimum –distance Euclidean criterion is: i(x)=arg min j || x(n) – w j||, j=1,2,…, l ---------------- Formula 1 The node with a weight vector closest to the input vector is tagged as the BMU. As the learning proceeds and new input vectors are given to the lattice, the learning rate gradually decreases to zero according to the specified learning rate function type [15]. Along with the learning rate, the neighborhood radius decreases as well. 4) In the updating phase the synaptic weight vectors of all the neurons is updated by using the formula w j(n + 1) = w j(n) + n(n) h j ,i (x)(n) (x(n) - w j(n)) ----- ---------- Formula 2 where n(n) is the learning-rate parameter, which has been set to 0.1 and h j ,i (x)(n) is the neighborhood function centered around the winning neuron i(x); both n(n) and h j ,i (x)(n) are varied dynamically during learning for best results [14]. 5) We continue with step 2 until no noticeable changes in the feature map are observed or for given number of iterations (generally is fixed, in our case it is 50000). After training, SOM becomes ready to categorize the packets in three different categories, namely-smurf, Neptune and Normal. After this phase the work of Intrusion prevention system starts. The efficiency of IPS gets decreased because of certain limitations in its basis principles. IPS performs packet filtering based on predefined rules, what if there is a novel attack? IPS has passive characteristics such that it can prevent only the predefined rules and filter some kinds of packets [18]. Apart from this, it is also not able to detect an attack carried out from the internal network of an organization. We propose to use Netfilter-Iptables for overcoming many such drawbacks of intrusion prevention systems. • Netfilter-Iptable Netfilter is a set of hooks inside the Linux kernel [18]. Netfilter is a framework that enables packet filtering, network address [and port] translation and other packet mangling. It performs packet filtering based on rules saved in packet filtering tables in kernel space. The rules are grouped in chains, according to the types of packets they deal with. Rules dealing with incoming packets are added to the INPUT chain, rules dealing with outgoing packets are added to the OUTPUT chain and rules dealing with packets being forwarded are added to the FORWARD chain [20]. Other than these three chains there are other chains also like prerouting & postrouting and user defined chains. As soon as a packet comes to a chain, its next action is decided on that chain. When a packet perfectly matches with a rule, action performed is ACCEPT and packet is allowed to go wherever it is destined to(-j ACCEPT), DROP-packet will be blocked and no further processing will be done on it (-j DROP), REJECT(similar to drop) but doesn’t leave dead sockets & sends back error message (-j REJECT) as shown in Figure 2 [21]. There are few more actions that can be performed on the packets. x1 xN Inputs Figure 1 (Self Organizing Map) (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 231 ISSN 1947-5500
  • 4. . The iptables tool inserts and deletes rules from the kernel's packet filtering table [21]. ’Iptables’ is not a packet filtering tool itself. It is just a command tool of the Netfilter imported in the kernel, and we should use this tool to make rules to reflect current intrusion aspects [3]. Few of its commands are: (-N) Creation of new chain, (-L) List the rules in a chain, (-F) Flush the rules out of a chain, (-A) Append a new rule to a chain,(-I) Insert a new rule at some position in a chain, (-X) delete an empty chain, (-D) delete a rule at some position in a chain, or the first that matches etc. For example for deleting the rule1 # iptables -D INPUT 1 For blocking an IP address # iptables -A INPUT -f -d -j DROP Now as soon as the SOM based IDS find an attack it generates an alert. Along with generating an alarm it also passes the information, the port number and IP address of that malicious packet to the netfilter-iptable firewall. Then the IPS (firewall) decides how to deal with that packet according to the rules of the kernel's packet filtering table. The decision regarding dropping, accepting or rejecting the incoming packets is taken at this juncture after matching the packets with the predefined rules present in various chains (input, output, forward). And in cases of indecision or if any rule is not present in packet filtering table, it updates the table by inserting additional rules into it. This property of Netfilter-Iptable overcomes its limitation of handling only such packets for which predefined rules are available. This updation in the rules table is carried out by using libiptc (libiptc is a library to set the packet filtering function in the Netfilter framework) [3] and can be in the form of blocking that particular IP address or blocking only that particular port as shown in Figure 3. V. CONCLUSION AND FUTURE WORK In this research we have investigated few of the intrusion detection and prevention systems and critically analyzed them. We have explored the role of self organizing maps, an artificial intelligence technique for increasing the efficiency of intrusion detection systems. We also presented an extensive study of Netfilter-Iptable for overcoming few of the limitations of existing intrusion prevention systems. Along with this we finally proposed an integrated version of SOM based IDS with netfilter-iptable firewall that do not require any external help in form of administrator for handling the malicious data packets. During the research we focused only on three classes-normal, smurf and Neptune. More practical Figure-2 (Netfilter system) [21] Internal Processes Input chain Forward chain Output chain REJECTedDROPed ACCEPTed ACCEPTed Incoming Packets Packets- Forward ACCEPTed Comm. Channel Transfer of 6 Tcp features Yes Comm. Channel Sniffer: Captures the data packet Trained SOM based IDS Intrusion? Netfilter-iptable firewall Block Ignore No Figure-3 (Integrated Framework) (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 232 ISSN 1947-5500
  • 5. . IDSs should have several attack types; therefore, it is possible, as a future development to the present study, to include more attack scenarios in the dataset. We have taken only 6 basic tcp information of a packet for training our network for intrusion detection. Hence in future further improvements can be done by including more parameters of a data packet. REFERENCES [1] Kulesh Shanmugasundaram, Nasir Memon, Anubhav Savant, and Herve Bronnimann. ForNet: A Distributed Forensics Network. V. Gorodetsky et al. (Eds.): MMM-ACNS 2003, LNCS 2776, pp. 1–16, 2003.c _ Springer-Verlag Berlin Heidelberg 2003 [2] Bace, R.G.: Intrusion Detection. Macmillan Technical Pub (2000) [3] Min Wook Kil, Seung Kyeom Kim, Geuk Lee and Youngmi Kwon. A Development of Intrusion Detection and Protection System Using Netfilter Framework. D. ´Slezak et al. (Eds.): RSFDGrC 2005, LNAI 3642, pp. 520–529, 2005.c_Springer-Verlag Berlin Heidelberg 2005 [4] Andreas Fuchsberger. Intrusion Detection Systems and Intrusion Prevention Systems. 1363-4127 Published by Elsevier Ltd.doi:10.1016 / j.istr.2005.08.00, 2005 [5] Jeong, B.H., Kim, J.N., Sohn, S.W.: Current Status and Expectation of Techniques for Intrusion Protection System. jugidong/1098/109801.htm [6] Ilgun, K., Kemmerer, R.A., and Porras, P.A.: State transition analysis: A rule based intrusion detection approach. IEEE Transactions on Software Engineering (March 1995) [7] Kumar, S. and Spa.ord, E.H.: An application of pattern matching in intrusion detection. Purdue University Technical Report CSD-TR-94- 013 (1994) [8] Xinyou Zhang, Chengzhong Li and Wenbin Zheng. Intrusion prevention system design. 0-7695-2216-5/04. IEEE(2004) [9] Shim, D.C.: A trend of Intrusion Detection System. KISDI IT FOCUS 4. Korea Information Strategy Development Institute (2001) 61-65 [10] U. Labib and V. R. Vemuri. Nsom: A tool to detect denial of service attacks using self-organizing maps. [11] Sahin Albayrak, Achim Muller, Christian Scheel and Dragan Milosevic. Combining Self-Organizing Map Algorithms for Robust and Scalable Intrusion Detection. Proceedings of the 2005 International Conference on Computational Intelligence for Modelling, Control and Automation, and International Conference on Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC’05), 2005. [12] Stefano Zanero and Sergio M. Savaresi. Unsupervised learning techniques for an intrusion detection system. SAC’04 March 14-17 2004, Nicosia, Cyprus Copyright 2004 ACM 1581138121/ 03/04. [13] [14] Haykin, Simon: Neural networks- a comprehensive foundation. Pearson Education (4th Indian reprint, 2003) [15] Liberios Vokorokos, Anton Balaz and Martin Chovanec. Intrusion detection system using self organizing map. Acta Electrotechnica et Informatica No. 1, Vol. 6, 2006 [16] Min Wook Kil, Si Jung Kim, Youngmi Kwon and Geuk Lee. Network Intrusion Protection System Using Rule-Based DB and RBAC Policy. IFIP International Federation for Information Processing, NPC 2004, LNCS 3222, pp. 670-675, 2004. [17], Dictionary of Computer Terms. [18] Cho, D.I., Song, K.C., Noh, B.K.: Handbook of Analysis for Detection of Network Intrusion and Hacking. Infobook (2001) [19], netfilter /iptables project homepage–The netfilter project [20] [21] HOWTO.txt [22] Peter Lichodzijewski, A.Nur Zincir-Heywood and Malcolm I. Heywood. Dynamic Intrusion Detection Using Self-Organizing Maps. CITSS, 2002 [23] The Third International Knowledge Discovery and Data Mining Tools Competition,, May 2002. [24] W. Lee, S. J. Stolfo and K. W. Mok, “Mining in a data-flow environment: experience in network intrusion detection,” in Knowledge Discovery and Data Mining, pp. 114-124, 1999. [25] Stefano Zanero. Improving Self Organizing Map Performance for Network Intrusion Detection, 2004 [26] Kunal Chadha and Abhinav Kumar, Thesis submitted as part of Network Forensics Project, Jaypee Institute of information Technology University, Noida. (IJCSIS) International Journal of Computer Science and Information Security, Vol. 8, No. 4, July 2010 233 ISSN 1947-5500