International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 84 Research on Intrusion Detection and Response: A Survey Peyman Kabiri and Ali A. Ghorbani (Corresponding author: Ali A. Ghorbani) Faculty of Computer Science, University of New Brunswick, Fredericton, NB, E3B 5A3, Canada (Email: {kabiri, ghorbani}@unb.ca) (Received June 15, 2005; revised and accepted July 4, 2005) Abstract With recent advances in network based technology and increased dependability of our every day life on this tech- nology, assuring reliable operation of network based sys- tems is very important. During recent years, number of attacks on networks has dramatically increas e d and con- sequently interest in network intrusion detection has in- creased among the researchers. This paper provides a review on current trends in intrusion detection together with a study on technologies implemented by some re- searchers in this r e search area. Honey pots are effective detection tools to sense attacks such as port or email scan- ning activities in the network. Some features and appli- cations of honey pots are explained in this paper. Keywords: Detection methods, honey pots, intrusion de- tection, network security 1 Introd uction In the past two decades with the rapid progress in the Internet based technology, new application areas for com- puter network have emerged. At the same time, wide spread progre ss in the Local Area Network (LAN) and Wide Area Network (WAN) application areas in business, financial, industry, security and healthcare sectors made us more dep e ndent on the computer networks. All of these application areas made the network an attractive target for the abuse and a big vulnerability for the community. A fun to do job or a challenge to win action for some people became a nightmare for the others. In many cas e s malicious acts made this nightmare to become a reality. In addition to the hacking, new entities like worms, Trojans and viruses introduced more panic into the net- worked society. As the current situation is a relatively new phenomenon, network defenses are weak. However, due to the popularity of the computer networks, their con- nectivity and our ever growing dependency on them, real- ization of the threat can have devas tating consequences. Securing such an important infrastructure has become the priority one research area for many researchers. Aim of this paper is to review the current trends in Intrusion Detection Systems (IDS) and to analyze some current problems that exis t in this research area. In com- parison to some mature and well settled research areas, IDS is a young field of research. However, due to its mis- sion critical nature, it has attracted s ignificant attention towards itself. Density of research on this subject is con- stantly rising and everyday more researchers are engaged in this field of work. The threat of a new wave of cyber or network attacks is not just a probability that should be considered, but it is an accepted fact that can occur at any time. The current trend for the IDS is far from a reliable protective system, but instead the main idea is to make it possible to detect novel network attacks. One of the major concerns is to make sure that in case of an intrusion attempt, the system is able to detect and to report it. Once the detection is reliable, next s tep would be to protect the network (response). In other words, the IDS system will be upgraded to an Intrusion Detection and Respons e System (IDRS). However, no part of the IDS is currently at a fully reliable level. Even though researchers are concurrently engaged in working on both detection and respond sides of the system. A majo r prob- lem in the IDS is the guarantee for the intrusion detection. This is the reason why in many cases IDSs are used to- gether with a human expert. In this way, IDS is actually helping the network security officer and it is not relia ble enough to be trusted on its own. The reason is the in- ability of IDS systems to detect the new or alter e d attack patterns. Although the latest generation of the detection techniques has significantly improved the detection rate, still there is a long way to go. There are two major approaches for detecting intru- sions, signature-based and anomaly-based intrusion de- tection. In the first approach, attack patterns or the International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 85 behavior of the intruder is modeled (attack signature is modeled). Here the system will signal the intrusion once a match is detected. However, in the second approach nor- mal behavior of the network is modeled. In this approach, the system will raise the a larm once the behavior of the network does not match with its norma l behavior. There is another Intrusion Detection (ID) approach that is called sp e c ification-based intrusion detection. In this approach, the normal behavior (expected behavior) of the host is sp e c ified and consequently modeled. In this approach, as a direct price for the security, freedom of operation for the host is limited. In this paper, these approaches w ill be briefly discussed and compar e d. The idea of having an intruder accessing the system without even be ing able to notice it is the worst nightmare for any network security officer. Since the current ID technology is not accurate enough to provide a reliable detection, heuristic methodologies can be a way out. As for the last line of defense, and in order to reduce the number of undetected intrusions, heuristic methods such as Honey Pots (HP) can be deployed. HPs can be installed on any system and act as trap or decoy for a resource. Another major problem in this resear ch area is the sp e e d of detection. Computer networks have a dynamic nature in a sense that information and data within them are continuously changing. Therefore, detecting an intru- sion accurately and promptly, the system has to operate in real time. Operating in real time is not just to per- form the detection in real time, but is to adapt to the new dynamics in the network. Real time operating I DS is an active research area pursued by many researchers. Most of the research works are aimed to intro duce the most time efficient methodologies. The goal is to make the implemented methods suitable for the real time im- plementation. From a different perspective, two approaches can be envisaged in implementing an IDS. In this classification, IDS can be either host based or network based. In the host based IDS, system will only pr otect its own local ma- chine (its host). On the other hand, in the network based IDS, the ID process is somehow distr ibuted along the net- work. In this approach where the agent based technology is widely implemented, a distributed system will protect the network as a whole. In this architecture IDS might control or monitor network firewalls, network routers or network switches as well as the client machines. The main emphasis of this paper is on the detection part of the intrusion detection and response problem. Re- searchers have pursued different approaches or a combi- nation of different approaches to solve this problem. Each approach has its own theory and presumptions. This is so because there is no e xact behavioral model for the le- gitimate user, the intruder or the network itself. Rest of this paper is organized as follows: In Section 2, intrusion detection methodology and related theories are explained. Section 3 presents the system modeling approaches. In Section 4, different trends in IDS de- sign are presented. Section 5 describes the feature se- lection/extraction methods implemented in this area. In Section 6, application of honey pots in the network se- curity will be discussed. Finally, conclusions and future work are given in Section 7 and Section 8. 2 Intrusion Detection The first step in securing a networked system is to de- tect the attack. Even if the system c annot prevent the intruder from getting into the system, noticing the intru- sion will provide the security officer with valuable infor- mation. The Intrusion Detection (ID) can be considered to be the first line of defense for any security system. 2.1 Artificial Intelligence and Intrusion Detection Application of the artificial intelligence is widely used for the ID purpose. Researchers have propo sed several ap- proaches in this regard. Some of the researchers are more interested in applying rule base d methods to detect the intrusion. Data mining using the association rule is also one of the approaches used by some researchers to solve the intrusion detection problem. Researchers such as Bar- bara et al. [4, 5], Yoshido [43] and Lee et al. [30] have used these methods. Others have propos ed application of the fuzzy logic concept into the intrusion detection problem area. Works reported by Dickerson et al. [16], Bridg es et al. [8] and Botha et al. [7] are examples of those researchers that follow this approach. Some researchers e ven used a multi- disciplinary approach, for example, Gomez et al. [18] have combined fuzzy logic, genetic algorithm and asso- ciation rule techniques in their work. Cho [12] reports a work where fuzzy logic and Hidden Markov Model (HMM) have been deployed together to detect intrusions. In this approach HMM is used for the dimensionality reduction. Due to its nature, the data mining approach is widely appreciated in this field of research. Some researchers have tried to use the Bayesian methodology to solve the intrusion detection problem. The main idea behind this approach is the unique fea tur e of the Bayesian methodology. For a given consequence, using the probability calculations Bayesian metho dology can move back in time and find the cause of the events. This feature is suitable for finding the reaso n for a par- ticular anomaly in the network behavior. Using Bayesian algorithm, system can somehow move back in time and find the cause fo r the events. This algorithm is some- times used for the clustering purpos e s as well. Repor ted works from researchers such as Bulatovic et al. [9], Bar- bara et al. [5] and Bilodeau et al. [6] are examples of this approach. Although using the Bayesian for the intrusion detection or intruder behavior prediction can be very appealing, however, there are some issues that one should be con- cerned about them. Since the accurac y of this method International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 86 is dependent on certain pre sumptions, distancing from those presumptions will decrease its accuracy. Usually these presumptions are based on the behavioral model of the target system. Selecting an inaccurate model may lead to an inaccurate detection system. Therefore, select- ing an accurate model is the first step towards solving the problem. Unfortunately due to the complexity of the be- havioral model within this system finding such a model is a very difficult task. This paper will address the system modeling in the following section. Researchers such as Zanero et al. [44], Kayacik et al. [23] and Lei et al. [32] find the Artificial Neural Network (ANN) approach more appealing. These researchers had to overcome the curse of dimensionality for the complex systems problem. A suitable method is the Koho nen’s Self Organizing features Map (SOM) that they have pro- posed. Hu et al. [20] reports an improvement to the SOM approach used by Kayacik et al. [23], where the Support Vector Machine (SVM) method has been implemented to improve SOM. Using SOM will significantly improve the sensitivity of the mo del to the population of the input features. Zanero et al. [44] use the SOM to compress payload of every packet into one byte. The main goa l of using the ANN approach is to pro- vide an unsuper vised classification method to overcome the curse of dimensio nality for a large number of input features. Since the system is complex and input features are numerous, clustering the events can be a very time consuming task. Using the Principle Component Analysis (PCA) or Singular Value Deco mpositio n (SVD) methods can be an alternative solution [2]. However, if not used properly both of these methods can become computation- ally expensive algorithms. At the same time, reducing the number of features will lead to a less accurate model and consequently it will reduce the detection accuracy. In the computer networks intrusion detection problem area, the size of the feature space is obviously very large. Once the dimensions of the feature space are multiplied by the number of samples in the feature space, the re- sult will sure ly present a very large number. This is why some researchers either select a small sampling time win- dow or reduce the dimensionality of the feature space. Since the processing time is an important factor in the timely detection of the intrusion, the efficiency of the de- ployed algorithms is very important. T ime co ns traint may sometimes force us to have the less important features pruned (dimensionality reduction). However, the prun- ing approach is not always possible. Implementing data mining methodology, some researchers have proposed new data reduction approaches. Data compre ssion can be con- sidered to be an alternative approach to solve the high di- mensionality problem. Generation of association rules as it was proposed by Lee et al. [30, 31] is an alternative to reduce the size of the input data (Rule based approach). Size and dimensionality of the feature space are two major problems in IDS development. At the same time, methods such as Bayesian and HMM that use statistical or probability calculations can be very time consuming. Besides the dimensionality reduction or the data c ompres- sion methods, there are two other methods that can deal with the problem of computation time. These methods are explained in the following subsections. 2.2 Embedded Programming and Intru- sion Detection One approach is to preprocess the network information us- ing a preprocessor hardware (front-end proc e ssor). In this method some parts of the processing is performed prior to the IDS. This pre process will significantly reduce the pro- cessing load on the IDS and consequently the main CPU. Otey et al. [37] have reported a similar work by program- ming the Network Interface Card (NIC). This approach can have many properties including lower computational traffic and higher performance for the main processor. Im- plementing this approach will make it easier to detect va- riety of attacks such as Denial of Service (DoS) attack. This is because the NIC is performing the major part of the processing while the main processor only monitors the NIC operation. 2.3 Agent Based Intrusion Detection The second approach is the dis tributed or the agent based computing. In this approach not only the workload will be divided between the individual proce ssors, but also the IDS will be able to obtain an overall knowledge of the networks working condition. Having an overall view of the network will help the IDS to detect the intrusion more accurately and at the same time it can respond to the threats more effectively. In this approach, servers can communicate with one another and can alarm each other. In order to respond to an attack, sometimes it can be sufficient enough to disc onnect a subnet. In this type of system in order to contain a threat, the distributed IDS can order severs, routers or network switches to discon- nect a host or a subnet. One of the concerns with this type of system is the extra workload that the IDS will en- force on the network infrastructur e . The communication between the different hosts and servers in the network can produce a significant traffic in the network. The dis- tributed approach can increase the workload of the net- work layers within the hosts or servers and consequently it may slow them down. There are two approaches in implementing an agent based technology. In the first approach, a uto nomous dis- tributed agents are used to both monitor the system and communicate with other agents in the network. A Multi- agent based system will enjoy a better perception of the world surrounding it. Zhang et al. [46] report imple- menting a multi-agent based IDS where they have con- sidered four types of agents: Bas ic agent, Coordination agent, Global Coordination agent, Interface agents. Each one of these agents performs a different task and has its own subcategories. For example, the basic agent includes: International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 87 Workstation agents, Network segment agents and Pub- lic server agents. These subcatego ry agents respectively work on the workstations of the network, as well as, the subnet level and public server level (Mail agent or FTP agent). In this way, the complex system with bre akdown into much simpler systems and will become easier to ma n- age. In the second a pproach, mobile agents are used to travel through the network and collect information or to perform some tasks. Foo et al. [17] report an IDS de- velopment work [15] using mo bile agents. They use the Mitsubishi’s Concordia platform in their work to develop a mobile agent based IDS. Using the mobile agent, their IDS performs both the port sca nning and the integrity checks on the critical files of the system. The propo sed agent based IDS will raise the alarm if it detects any alter- ation on the critical files of the system. Mobile agents can be sent to o ther systems to monitor health of the target system and to collec t information. Luo et al. [33] introduce a new Mobile Agent Dis- tributed IDS (MADIDS). Authors address number of de- ficiencies that exist in distributed IDSs: “The overload of data transmission”, “The computation bottleneck of the central processing module” and “The delay of network transmission”. Paper reports that o ne of the main goals of the system is to improve the performance of the IDS in regard to speed and network traffic. In a work reported by Ramachandran et al. [38] the idea of neighborhood-watch is implemented for the net- work security. There are three different types of age nts in three different layers. All the agents are defined in PERL (Practical Extraction and Report Language). In the front line (bottom layer) there is a Cop agent that is a mobile agent. There are different types of Cop agents dependent on their assignments. A Cop agent is respon- sible for collecting data from various sites and reporting them to its respective detective ag e nt. In this system, each site will store all the important security information about its neig hbors. This infor mation includes checksum of c ritical data files and system binaries, etc. It will als o store a list of its neighbor s in the neighborhood. There are neighbor s (hosts) within each neighborhood (subnet) whom can be inspected by the mobile a gents called Cops. By voting among themselves, neighbors will decide on the course of action they intend to follow. This concept will be discussed in more detail in the following sections. 2.4 Software Engineering and Intrusion Detection As the complexity of the IDS increases, the problem of developing the IDS becomes mo re and more difficult. A programming language dedicated to developing IDSs can be useful for the developer community. Such a program- ming language with its special components will improve the programming standard for the IDS code. IDS devel- opers can enjoy the benefits of a new language dedicated to the IDS development. Such a language will improve both the programming speed and the quality of the final code. In a paper by Vigna et al. [41] the main attention is fo c used on the software engineering aspect of the IDS. Issues such as object-oriented programming, compo nent reusability and the programming language for the IDS are discussed in this paper. A new framework called State Transition Analysis Technique (STAT) is introduced in this paper. In their implemented framework, Vigna et al. [41] propose a type of state machine system called STAT that follows the state transition of the attack patterns. This framework is for developing signature based IDSs (The concept of the signature based IDS will be discus sed later in this paper). There is a STAT-Respo nse class that holds response modules. These response modules include library of actions that are associated with the pattern of the attack scenarios. All to gether, this language will produce an encapsulated object-oriented code with a high reusability in the code. There is an event provider mo dule that will provide the framework with the events occurring on the network. Another approa ch in programming languages for the IDS is to provide means to follow the state change in the system. In this way, the IDS will have the ability to have its behavior altered if necessary. Including this fea- ture in the IDS will make it adaptive and rec onfigurable. Possibility to alter the behavior of the IDS will provide us with a dynamically reconfigurable IDS. In a reported work, Sekar et al. [39] have implemented a State Machine Language (SML) approach based on the Extended Finite State Automata (EFSA) to model the correct or expected behavior of the network. Using a well designed program in SML, the state machine will be able to follow up with the events within the network and to produce appropr iate outputs. If no irregularities detected, then the anomaly detection part of the process will ana lyze the outputs and will detect the anomalies. There are two approaches in implementing an IDS. In the first approach, IDS is implemented in the form of software that is deployed on a server or a host. In this approach the final produce is not a physical object but it is software. In the second approach the IDS is built as a product with its own hardware platform (IDS appli- ance). In this type of IDS, once the product is installed on the network it will connect itself to the network and will start monitoring and analyzing the network. IDS can perform its duties in a way transparent to the network. Such approaches could help the IDS to perform the in- trusion detection in a more successful and non-intrusive way. At the same time, this type of products a re easier to install and will introduce minimum overhead on the network. Thus, their price might be higher. 2.5 Some Selected Papers This section will describe selected papers in different re- search areas of the IDS technology. International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 88 2.5.1 Bayesian (Statistical) Approach As an example for the implementation of the Bayesian method in IDS, Barbara et al. [5] report a work on the subject of intrusion detection for the ano maly detection. Authors re port similar categories (misuse and a nomaly detection for intrusion detection), they also rep ort the same features for these two methodologies. In order to be able to handle unknown attacks they have selected the anomaly detection metho d. Their aim is to improve the detection and false alarm rates generated by the sy stem. Their report indicates that this work is the c ontinuation of an ongoing research based on “an anomaly detection system called Audit Data Analysis and Mining” (ADAM). Their approach is mainly data mining oriented but in this paper the reported work is related to the pseudo-Bayes es- timators. The application for these estimators is to esti- mate the priori and posteriori probabilities of new attacks. In this work, Naive-Bayesian classifier is used to classify network instances. They also claim that due to the prop- erties of the pseudo-Bayes estimators, system won’t need any priori knowledge regarding the new attack patterns. ADAM consists of three parts. Part one is the pre- processor and its job is to collect da ta from the T CP/IP traffic data (network sniffer). The second par t is the data mining engine that extracts association rules from the col- lected data. Data mining engines main job is to search for unexpected behaviors. ADAM works in two modes: Training and detection modes. The last part of the sys- tem is the classification engine and its task is to classify the association rules into two classes: Normal and ab- normal. Abnormal classes can be later linked to some attacks. Authors report two main advantages for the system, first the ability to work in real time (online data mining operation) and then the strategy of anomaly detection of the system. In their system, rules depict behavior mod- els. These rules are saved in a database and constantly monitored. If a rule is a new rule and not yet re gistered in the database (anomaly) and its occurrences have reached to a thre shold value, then it will be labeled by the system as a suspicious event. The mining engine works in three levels: single level, domain level and feature level. Single level mining engine works in two different modes: static mining and dyna mic mining. The first one is for the normal operation time of the system when a profile is made for the system behavior. The second one however “uses a sliding window method that implements incre- mental, on-line associated rule mining”[5]. In the domain level mining engine, the source and des- tination IPs are monitored. The reported system may find it suspicious if both the source and destinatio n IP’s come from the same subnet. In the feature selection engine, a windowing technique is implemented to record instances of the network (every window is 3 seconds wide). In this way, system collects snap shots from the network behavior and then analyzes them. There is also a second slower sampling rate that is ev- ery 24 hours to detect the slow oc c urring but long lasting anomalies. Then the system will apply the domain level mining methods on them to c apture the rules and extract features. In the reported work, a selected number of at- tributes in the training data were reported to characterize classes. These classes reflect properties resulted during different levels of the data mining. Clas sifier is trained using the training data and later on is tested using the test data. In the reported work, a pseudo Bayesian classifier is used for the classification. The estimation part of this classifier has the smoothing feature. The pseudo Bayesian estimator is a popular method in discrete multivariate analysis. In the reported work, Barbara et a l. [5] use Dirichlet distribution probability density function as the kernel of the likelihood function. This method is us e d to estimate cell values for the tables with large number of sampling zeros. In these tables, it may also happe n that due to repeated sampling, some cells show mor e ze- ros than the others (density of zeros) and this is when the Dirichlet method will help us. The final stage of classifica- tion is carrie d out using the Naive Bayesian classification. One of the most interesting parts of this research is the use of Naive Bayesian classifier. In the description of the classifier, Barbara et al. have used the Dirichlet distri- bution to obtain the probability density function for the classifier. Dirichlet distribution [6] is a good choice for this type of problem. Dirichlet distribution and Gamma distribution are time related. For example, Gamma dis- tribution [6] will give an estimate for the time one have to wait (“waiting time in a Poisson process” [6]) before get- ting at least n successes. Bilodeau et al. in their book [6] proposed the following formula for the probability density function using Gamma estimation: f n (t) = λe −λt (λt) n−1 /(n − 1)!, t > 0 (1) In comparison to the Gamma distribution, Bilodeau et al. in their book [6] have described the Dirichlet distribution as “ simply the proportion of time waited”. Analysis: As time and its effects on the outcomes of any IDS is subject to a great importance in intrusion detection, addressing this issue gives a big a dvantage to this paper. The concept is very much into the linear algebra’s subject area and needs further study. At the same time by look ing at the formulas presented in either [5] or [6] reader can expect a high computation proces sing load for performing multiple multiplications (unless we can somehow go around this problem). There is still one question that remains to be answered and that is: “Can one be sure that input parameters to an IDS are indep e ndent from one another?” Dependent on the answer that might be yes or no, the method of ap- proach can be different. We are doubtful about taking the parameters as independent (or co nditional independent) parameters. This is because they serve the same purpose that is intrusion. However, on the contrary it can not necessarily mean that they are not dependent either, be- cause not all of the activities in the network are intrusions International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 89 and most of them are random legitimate activities. From our po int of view, this subject deserves more study. This is so because during the design stage understanding the statistical nature of these events will help us to build the optimum model of the s ystem. Barbara et al. [5] in their paper, present r e sults us- ing two configurations: In the first configuration, given training data after Naive-Bayesian Classifier detected the intrusion, system will remove it from the DARPA 1998 training data and then will apply the classifier on the DARPA 1999 test data. In the second approach however, the DARPA 1999 training data is selec ted with the same test data (DARPA 1999). Then both the test a nd training data are introduced to the Naive Bayesian classifier and the outcome is analyzed (using the test data). The pre- sented results are satisfactory but although they present a good research work, there is a concern with regard to the test environment. The problem arise s when Bar bara et al. [5] say: “To be tter evaluate the perfor mance of pseudo- Bayes estimator, we pick a set of attacks that behave very differently, while for the attacks that share some similarities, we only select one candidates to represent the rest”. In their conclusions they also talk about the prob- lem of detecting attacks similar in nature (Analysis: can we translate this to: dependent input variables?). Anal- ysis: The presented results confirmed our ambitions re- garding the choice of assuming input para meters from the network as either independent or dependent parameters! Since a random variable version of the Bayes estimator is implemented in their work and due to the following two assumptions in this method: 1) The multinomial distribution assumption in the Bayes estimator. 2) The assumption for the Naive B ayesian is that the parameters are conditional independent. Once the b e havior of the anomalies is similar, the pro- posed clas sifier will misclassify the attacks as it is evident in the reported results. Nevertheless this paper presents a good research work in intrusion detection. 2.5.2 Fuzzy Logic Approach As an example for the fuzzy logic based approach, Dick- erson et al. [16] report a research based on the fuzzy logic concept. The paper repor ts a Fuzz y Intrusion Recognition Engine (FIRE) for detecting malicious intrusion activi- ties. In the reported work, the anomaly based Intrusion Detection System (IDS) is implemented using both the fuzzy logic and the data mining techniques. The fuzzy logic part of the system is mainly responsible for both handling the large number of input parameters and deal- ing with the inexactness of the input data. In the reported work, a Network Data Collection (NDC) module is implemented to take samples fr om the network (using TC P packet data) with 15 minutes inter- vals. NDC is a kind of network data sniffer and recorder system that is responsible for reading packets off the wire and storing them on the disk. The sample size is so large that authors were forced to use data mining technique to create an aggregated key composed of IP source, IP desti- nation and destination port fields to r e duce the data size. In this work, system tracks the statistical variance of the packet counts searching for any unusual incre ases in their number. Once any unusual increase is detected, it means that someone is scanning the network with small number of packets. There are thre e fuzzy characteristics used in this work: COUNT, UNIQUENESS and VARIANCE. The imple- mented fuzzy inference e ngine uses five fuzzy sets for each data element (LOW, MEDIUM-LOW, MEDIUM, MEDIUM-HIGH and HIGH) and appropriate fuzzy rules to detect the intrusion. In their report, authors do not indicate that how did they derive their fuzzy set. The fuzzy set is a very important iss ue for the fuzzy inference engine and in some cases genetic algor ithm approach can be implemented to select the best combination. The pro- posed system is tested using data collected from the local area network in the college of Engineering at Iowa State University and results are reported in this paper. The re- ported results are descriptive and not numerical therefore it is difficult to evaluate the performance of the reported work. Gomez et al. [18] report a work based on the fuzzy logic concept. This work is dedicated to the network in- trusion detection problem. The dataset for this work is KDD-cup’99 and 1998 DARPA datasets. In this work, the Genetic Algorithm (GA) is used to optimize the fuzzy rules so that they can better fit to the pur pose. In this ap- proach, fuzzy sets are normalized to fit within the bound- ary of 0.0 to 1.0. The fitness value for the GA is calculated using the confidence weights of the system. This process is very similar to the way uncertainty problem is handled in the exp ert systems. Later on in their paper, a comparison has been made between the rules for the normal and abnormal behavior (there are two main sets of rules in the system, one is for the normal and the other one is for the abnormal behaviors). In a graph presented in this paper, the false alarm rate and the detection rate of the system were input parame- ters and three curves for Normal rule, Abnormal rule and Normal-Abnormal rules (one with the confidence a and the o ther one with 1 − a) were plotted. The graph was showing a higher detection and lower false alar m rates for using only abnormal fuzzy rules. The system was tested using only 1% of the original 1998 DARPA data sets where 10.63% false alarms and 95.47% detection rate was reported. Authors mention that this abstraction is pos- sible since the norma lization process will produce a uni- form distribution. Analysis: Selecting the 1% r atio of the whole dataset for the training can be a n indica tion that high computational power is required for this task. In another reported work in this area, Botha et al. report a work [7] to detect the intrusion using the user International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 90 behavior and the fuzzy logic methodology. In this pa- per, intrusion detection algorithms are similar to the two earlier approaches introduced in previous papers. The overall view of the author s is to consider six different generic phases for an intrusion into a network. The goal of this system is to track and monitor the current state of the user’s behavioral profile c onsidering these categories. These six phase s ar e: 1) Probing phase. Intruder collects information regard- ing the operating system, firewall and the user pro- file. Knowing this information will narrow intruder’s options in finding the weaknesses within the system (Probing command a nd illegal firewall access). 2) Gaining initial acce ss phase. This phase includes the following parameters: Invalid password attempt, user terminal (network address) and user networking hours. 3) Gaining full system access. In this phase the fol- lowing activities will be encountered: Illegal pass- word file access attempt, illegal file/directo ry access attempt, illegal application a c c e ss. 4) Performing the hacking attempt. In this phase in- truder is going to use system facilities and informa- tion (Intruder’s action). 5) Covering hacking tracks. Here the intruder will erase all the track or clues leading to the exposure of his access routes and identity (Audit log acce ss). 6) Modifying utilities to ensure future access. In this phase, the intruder will create a backdoor in the sys- tem for himself to use it for his future access (Creat- ing user account). In this paper, it is assumed (authors reason was the lack of data) that the model for the transition from one state to the other is linear. In other words, if anyone fails to acce ss the system out of the regular working hours, then IDS will be 33.3% certain that this was an intru- sion attempt. There is a separate membership function assigned to each one of the inputs to the system. Prede- fined rules together with output from the aforementioned functions are used by the fuzzy inference engine for de- riving conclusio ns . Results reported using only 12 tes t subjects that looks to be a small number of test cases. 2.5.3 Data Mining Approach In the data mining approach, Lee et al. [31] report a work based on data mining concept where initially two main usual classes of IDS are describe d and compared. Later, authors have explained their way of solving prob- lems with the system and bringing it up to where it is now. Their approa ch is a rule-based approach (using machine learning techniques). I n their proposed system, anomalies are detected using predefined rules. However, the system supe rvisor should know the behavior pattern for a cer- tain anomaly in order to be able to update the system with the appropriate rules. This is how the system be- comes adaptive. Authors have designed, implemented and tested several rule sets for various attack patterns. The rule generation methodology implemented in this work is interesting. They define an association rule (item se t) with the following generic form: X → Y, c, s where X and Y are the item sets for the rule and X ∩ Y = ∅ is the relation between them. s=support(X ∪ Y ) where s is the support value for the rule and c= support(X∪Y ) support(X) is the confidence for the rule. System keeps these rules for a period of time and uses them as the pattern for the event and be havior model for the users . As an example, Lee et al. [30, 31] say: “an association rule for the shell command history file (which is a stream of command and their arguments) of a user is: trn → rec.humor, 0.3, 0.1, which indicates that 30% of the time when user invokes trn, he or she is reading the news in rec.humor, and reading this newsgroup ac- counts for 10% activities recorded in his or her co mmand history file.” There is another rule called frequent episode rule: X, Y → Z, c, s, window where X and Y are the item sets for the rule and X ∩ Y = ∅ is the relation between them. s=support(X ∪ Y ∪ Z) where s is the support value for the r ule and c= support(X∪Y ∪Z) support(X∪Y ) is the confidence for the rule and window is the sampling window interval. Analysis: Their idea for tracking users sounds very in- teresting. As it is explained in the paper, applying proper subintervals, system will reduce the length of the user records. At the same time, system will keep the historical records for the activities in its database (data reduction). Using the user records, system will generate a rule set for the a ctivities within the network. At this stage, system can notice the irregularities and identify them (if they are known). Several test scenarios where presented. Since for the test purposes no standard datasets such as DARPA was used, it is hard to evaluate and compare their results. However, the proposed rule based a pproach is implemented in a good way. There is an abstraction on the anomaly detection con- cept in their repo rted work. In the report [30] authors say: “Anomaly detection is about establishing the nor- mal usage patterns from the audit data”. Their viewpoint see ms to be the following: Anoma ly detection is to detect any known anomaly (or a famous anomaly pattern) in the network. However, we a re not necessarily agreed with them on the known anomaly or the signature based approach and would rather to use any automatically de te cted intrusive anomaly detection approach. Adaptability of their r e ported system requires that someone always keep the system rule sets up to date. It could be a big challenge to include an automated adap- tation feature in the IDS. Lee et al. in another paper [28] report a work to im- prove and continue their earlier work in the field of intru- International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 91 sion detection. In their new approach, they have imple- mented their system in a distributed configuration. This will help them to break down their workload and pe r- form a type of parallel processing. In this way, they can also perform sophisticated tasks and implement compli- cated algorithms. Analyzing their work and considering their background in rule based approach; one can easily get the idea of the “Black Board” strateg y as it is in the exp ert systems, out of their work. They have also indicated that they are very much in- terested in “Black Box” modeling of the system. This is a great idea and honestly speaking this is the idea in our minds as well. This is because attacks are not in a static model and every now and then a novel attack pat- tern emerge s. A black box approach to this problem will provide the IDS with the ability to detect the intrusion without necessarily knowing its type/ca tegory or name. Lee et al. [28] noted in their report that “A major design goal of CIDF is that IDAR systems can be treated as “black boxes” that produce and con- sume intrusion-related information” . Where CIDF and IDAR res pectively stand for “Common Intrusion Detec- tion Framework” and “Intrusion Detection Analysis and Resp onse”. Considering the above, they have also noted in the ear- lier parts of their report that: “we need to first select and construct the right set of system features that may contain evidence (indicators) of normal or intrusions. In fact, feature selection/construction is the most challeng- ing problem in building IDS, regardless the development approach in use.”[28] that is a very true statement a nd it is important to find right features. There are some issues to bring up in this regard. These issues will be discussed in the following. In the experiments section of the reported work, au- thors report an experiment where in a simulated SYN flood attack the IDS has not o nly detected the attack but has sent agents to the slave computers (those who where attacking the network or the server) to successfully kill the malicious agents there . The idea seems fine, but what about the legal and privacy issues? Is it legal to send agents to people’s computers without their cons e nt? There should be a legal solution to the privacy problem befo re implementing such strategie s. This approach can be feasible for the network of an organization, but not over the internet. Analysis: This appr oach seems reasonable but there are some issues tha t need to be addressed: 1) The reported work is heavily counting on the con- nectivity or the availability of the network structure for their work. In s ome occasions, this cannot be exp ected. This is beca us e in some DOS attacks not the server but the network switches might become saturated, which means that there will be no means by which these distributed systems can communicate with one another. 2) The feature detection part has to be automated, this is because different attack strategies may have dif- ferent features and in an adaptive system feature ex- traction ha s to be automated. However, authors in their implementation part of the report still report that human inspection is required in their system. 3) We believe in the Bla ck Box (BB) approach for this type of problems. It is also evident that model- ing such a huge and complicated system needs both a gre at computational power and a large memory space. Nevertheless, one has to accept the fact that some times cost is high! The questio n is not the cost but on the other hand, it is about the possibility. In many occasions , learning speed in BB modeling is so slow that it is practically impossible to use it in the real world applications. However, if possible to im- plement, a BB model can never tell you how or why this situation is an attack! It just knows that this is an attack (seems like one or behaves like one)! No numerical results are presented in this report. Just the experimental environment and the experiments were described. 2.5.4 Different Tends in Data Mining Approach In another group of the fuzzy logic and Genetic Algo- rithms (GA) related papers that are related to IDS con- cept, the one to start with is a work from Bridges et al. [8]. They report a work where fuzzy logic is used to model the uncertainties in the network behavior. The GA’s role here is to optimize the membership functions of the fuzzy logic engine. Authors also report that they have imple- mented standard S, PI, and Z functions in their work as well. This will make the membership function to look different from just some overlapped triangles . Here, the triangles will turn into half sine waves. Their approach is an anomaly-based approach. They are using expe rt sys- tems and their approach is rule-based. Association rules and their corresponding confidence and support factors are also implemented in the system. Their reported result shows that by tuning fuzzy logics membership function, GA’s optimization process is improving the performance of the IDS (improves its feature extraction capabilities). In the reported paper, fuzzy results were compared versus results from a non-fuzzy system using a diagram. The de- picted diagram indicates less false positive error rate for the fuzzy based methodology. The method is well defined and as it is indicated in the paper, the work is an ongoing work and needs further follow up. In another repor ted work by Barbara et al. [4] reports the same work as it is previously mentioned in this report [5] and reports other researchers appro aches in this area. He is not satisfied with the quality of the result r e ported by Lee et al. [30]. However, two papers from Lee et al. are referenced in their paper. Regarding the weaknesses of their own method, they reason that it is due to inac- curate thresholds in their classification system. Authors are suggesting that in order to improve the accuracy and International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 92 the detection rate for the proposed system, one way can be to add more sensors to the system. This idea is sim- ilar to the one in the control systems area of research (so called multi-sensor data fusion). In their future work, authors goal is to avoid the dependency on the training data (probably because it is very difficult to obtain such a dataset) for the normal events. As it is evident in this last set of reported works, the fuzzy logic or Bayesian estimator based works can be in- cluded under either their own name or under the data mining category name. This is be c ause the data mining work area is a multi-disciplinary area of research. Yoshida [43] in his paper reports a new approach to the IDS design. In this paper, the author indicates that his/her goal is to provide system with the ability to de- tect newly encountered attacks. However, this claim in the pap er is not supported by the experimental results. Yoshida’s report is mainly descriptive and it talks about the new a pproach without showing any proof of its per- formance. Yoshido explains that applicatio n of the APRIORI al- gorithm that mines the assoc iation rules from the given dataset is most popula r among the researchers in data mining re search area. Yoshido also believes that “the result of APRIORI algorithm involves association rules with contradiction”[43]. He also indicates that the result of this algorithm is noisy and in order to use it within an IDS, the result needs post-processing. As for his proof, he provides an example where in a given database there are two rules such that: Rule X has 100 supporting and 200 contracting data items in the database and rule Y which has 99 supporting and no contracting data items. Given MinSup (Minimum support) value equal to 100, APRI- ORI algorithm will only find the rule X. If it is desired to have the Y rule as well, then the MinSup value should be decreased which in turn will lead to a higher noise in the result. In order to improve the results, Yoshido proposes a Graph Based Induction (GBI) approach using Entropy based data mining. The GBI algorithm is as follows: First the input graph is contracted. Here “Every occ urrence of the ex tracted sub-graph in the input gr aph is replaced by a single node in step 1”[43]. In the second step, the contracted graph is analyzed and consequently every sub- graph consisting of two linked nodes that are called a pair is extrac ted. Finally satisfying a certain criteria the best pair is selected. Later on “ The selected pair is expanded to the original gra ph, and added to the set of extracted sub-graphs”[43]. For calculation of the Entropy he uses the following formulas. Inf ormation gain(D, T ) = Entropy(D) −  G i G |G i | |D| Entropy(G i ) (2) Where T is the new test dataset and D is the orig inal dataset that is going to be classified. The Entropy can be calculated using the following formula: Entropy(D) = n  i=1 −p i log 2 p i (3) The G i is a subset of D classified by the test T and p i is the probability of class i. Cabrera et al. [11] report a work in continuation of their earlier work [10] where the feasibility o f their approach was studied. Authors use the Simple Net- work Management Proto c ol (SNMP) to build an IDS s ys- tem. They separate their appr oach from the common approaches in the network security area by saying: “IDSs either rely on audit records collected from hosts (host-based IDSs) or on raw packet traffic collected from the c ommunication medium (network-based IDSs). SNMP-based NMSs on the other hand rely on MIB vari- ables to set traps and perform polling”[10]. Later, paper explains tha t although these two ap- proaches do not have much in common, SNMP-based Net- work Management Systems (NMS) relying on the Man- agement Information Base (MIB) variables can help the IDS to set traps and perform polling. This will enable us to design a distributed IDS. Authors intention is to use MIB variables to improve the detection rate of the IDS espec ially for those attacks that are difficult to de- tect. A SNMP-friendly IDS can use the MIB to cover a wide spectrum of security violations. They also believe that “MIB variables can be used not only to character- ize security violations, but also to characterize precursors to security violations”[10]. Authors say that the idea of proactive IDS is about predicting the intrusion attack be- fore it actually reaches to its final stage. Cabrera et al. mainly focus on the Distributed Denial Of Service (DDOS) attack. In this type of attack, initially a master node will install a slave progr am in the target clients of the network. Then after awhile it or ders them to start the attack by s e nding a message to them. In this system, slaves w ill generate an artificial traffic by which they will cause network congestion and will bring the network into halt. Ca brera e t al. have characterized their proposed system into two ca tegories: 1) Temporal Rule s: In this category in the detection rule, the antecedent and the consequence will appear in a correct order in distinct time instances (first antecedent followed by the c onsequence). The time series analysis in this work will deal with the design of the IDS. 2) Report incoming danger: If the antecedent is true then after a certain time delay the attack will commence. Extraction of the temporal rules is an off-line operation that implements data mining methodologies. Extraction of the rules is performed in four stages where a large dataset from the network s tatus evolutions to the history of security violatio ns are analyzed. These stages are as follow: International Journal of Network Security, Vol.1, No.2, PP.84– 102, Sep. 2005 (http://isrc.nchu.edu.tw/ijns/) 93 Step 1 Extracting the effective parameters/variables at the target side within the dataset. It is very impor- tant to know where to look for the clues. Step 2 Extracting the key parameters/variables at the intruder side within the dataset. IDS should be able to model the behavior of the intruder and these vari- ables are used to detect the current state of the in- trusion process. This information may derive from statistical casualty tests o n some candidate variables plus variables from step 1. Step 3 Determining the evolution of the intrusion pro- cess using the variables derived from step 2 and com- paring them versus normal state of the network. It is clear that this work follows the anomaly detection approach. Step 4 In this stage the events extracted in the step 3 are being verified to see if they are consistently fol- lowed by the security violations observed in variables extracted in step 1. In their description of this type of attacks, authors de- pict a timing diagram for a five stage transfer to the final network saturation in DDOS. These steps are: Master initiates insta llation of slaves (T0), Master completes in- stallation of slaves (T1), Master commands the slave to initiate the attack (T2), Slaves start sending disabling network traffic to the target (T3), Disabling network traf- fic reaches the Target (T4), The target is shut down (T5). At this time chart, T0 is the start of the attack and T5 is when the network will go down. The time-period between T1-T2 is solely dependent on human factor and on when the master will decide to order the slave to start the attack. Considering this chart and by using the NMS within the IDS, the system might be able to predict or react to the attacks. Authors of the paper have prepared a test rig for the intrusion attack simulation and have carried out few in- teresting experiments on their test rig. The results are monitored and recorded. In this way, they can investigate the behavior of their IDS and study the results. Their main emphasis is on the data ex tracted from the MIB variables. They have included few charts from the MIB variables within the test period in their paper and have analyzed them. In intervals of 2 hours and sample rate of 5 seconds, 91 MIB variables corresponding to 5 MIB groups are collected by the NMS. These charts are syn- chronized so that they can be studied. Charts will provide us with an understanding of the behavior of the system during the normal and under attack periods. Since these charts are synchronized, one can easily rela te the sequence of the events from one variable to the other. Later on in their pa per , authors explain how to ex- tract rules from this dataset. In their description they have assumed that the sampling interval is constant i.e. samples are taken in equal time intervals. The result is a multivariate time series. Among different definitions in the paper, two of them seem very interesting and they are explained in below: Causal rule “If A and B are two events, define A τ ⇒ B as the rule: I f A occurs, then B occurs within time τ. We say that A τ ⇒ B is a causal rule”[11]. Precursor rule “If A and B are two events, define A τ ⇐ B as the rule: If B occurs, then A occurred not e arlier than τ time units before B. We say that A τ ⇐ B is a precursor rule”[11]. Both of these rules are special cases of the temporal rules. As an indication of the certainty level for c orrectness of the rules, each one of these rules can be associated with a confidence factor. Authors mention that precursor rules are mined, but only causal rules were applied. Three problems for the rule extraction are addressed in this re- port and later on solutions have been sugge sted [11]. 3 Modeling the Network as a Sys- tem The g oal of finding a model for the network is to define the normal behavior and consequently anomaly in the behav- ior of the system. In the current literature, authors have defined the normal behavior of the network with regard to their own view points and no generic definitions are necessarily provided. A generic definition for the normal behavior and anomaly is proposed in below. Generic definition of the normal behavior of the sys- tem (network): The most fr e quent behavior o f (events within) the system during a certain time period is called the normal behavior of the system. This behavior is the dominant behavior within the system a nd is the most fre- quently repeated one. Generic definition of the anomaly within the system (network): The least frequent behavior of (event within) the system during a certain time period is called anomaly or abnormal behavior. The repeating period for an anomaly event has a very long repeat period and its in- terval is close to the infinity. The most and the least frequent events will have re- sp e c tively the lowest a nd the highest variances among all the other events. Therefore, effective parameter s will be: the duration of the time period, the frequency and the variance of the events within that time frame. As it is clear from the literature, researchers have fol- lowed different approaches to improve accura cy and per- formance of their proposed IDS. However, the execution time constraint is always an obstacle or a challenge to overcome. Modeling a dynamic and complex system such as the network is very difficult. Thus, abstra c tio n and partial modeling can be a good solution. This is why some researchers have chosen to separate different parts of the network and model them individually. The whole net- work can be divided into three different segments: host, user and the network environment. The user itself can [...]... groups namely normal and anomaly, where the anomaly pattern is likely to be an attack Nevertheless, there are occasions where a legitimate use of the network resources may lead to a positive classification result for the anomaly or signature based intrusion detection As a result of this wrong classification, IDS will wrongly raise the alarm and will signal an attack This is a common problem with the IDS and. .. “Honeynet project,” http://www.honeynet.org/ M Otey, S Parthasarathy, A Ghoting, G Li, S Narravula, and D Panda, “Towards nic based intrusion detection, ” in Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining, pp 723–728 ACM, ACM Press, NY, USA, Aug 2003 Poster Session: Industrial/government track G Ramachandran and D Hart, A p2p intrusion detection. .. ID systems use a hybrid approach where anomaly Specification Based IDS Signature based intrusion detection (misuse detection) is one of the commonly used and yet accurate methods of intrusion detection Once a new attack is launched, the attack pattern is carefully studied and a signature is defined for it The signature can be a name (in characters) within the body of the attack code, the targeted resources... to a deviation larger than a threshold value from its normal behavior model can be considered as an anomaly Another approach is to monitor the system for a period of time and then assign a baseline to the systems parameters In this approach, crossing the baseline denotes an anomaly behavior It is also possible to assign a normal behavior model to a host and to consider any other behavior an anomaly... performance of the IDS in regard to speed and network traffic MADIDS consist of four parts: Event Generation Agent, Event Analysis Agent, Event Tracking Agent and Agent server Data is transferred by the Generalized Intrusion Detection Object (GIDO) Event generators are responsible for collecting data and converting them to the appropriate format Event analyzers are responsible for analyzing the events and. .. data mining for intrusion detection and threat analysis: Adam: a testbed for exploring the use of data mining in intrusion detection, ” ACM SIGMOD Record, vol 30, pp 15–24, Dec 2001 D Barbara, N Wu, and S Jajodia, “Detecting novel network intrusions using bayes estimators,” in Proceedings of the First SIAM International Conference on Data Mining (SDM 2001), Chicago, USA, Apr 2001 M Bilodeau and D Brenner,... Acknowledgement This work was funded by the Atlantic Canada Opportunity Agency (ACOA) through the Atlantic Innovation Fund (AIF) to Dr Ali A Ghorbani [11] [12] References [1] Unspam; LLC a Chicago-based anti-spam company “Website for the project honeypot,” [13] http://www.projecthoneypot.org/ [2] M Analoui, A Mirzaei, and P Kabiri, Intrusion [14] detection using multivariate analysis of variance al- [15] gorithm,”... multi-agent based IDS, the system should be able to have a perception of the world surrounding it Finally, paper proposes a model with a network architecture consisting of four types of agents: basic agent, coordination agent, global coordination agent, interface agent Console consists of two agents, a global coordination agent and an interface agent The global coordination agent is responsible for all... International Conference on Sys- 100 tems, Signals & Devices SSD05, vol 3, Sousse, Tunisia, Mar 2005 IEEE A Zhong and C F Jia, “Study on the applications of hidden markov models to computer intrusion detection, ” in Proceedings of Fifth World Congress on Intelligent Control and Automation WCICA, vol 5, pp 4352–4356 IEEE, June 2004 D Barbara, J Couto, S Jajodia, and N Wu, “Special section on data mining... detection based ID methods can detect the intrusion and raise the alarm Using the anomaly detection based ID, the signature based methods can also be used to refine the FP alarms raised by this method This approach will result in increasing the accuracy and reliability of the IDS while keeping the number of FP alarms low A recently introduced approach is the specification based intrusion detection approach . indicates that this work is the c ontinuation of an ongoing research based on “an anomaly detection system called Audit Data Analysis and Mining” (ADAM). Their. “Spe- cial section on data mining for intrusion detection and threat analysis: Adam: a testbed for exploring the use of data mining in intrusion detection, ” ACM SIGMOD