False Positives in Intrusion Detection Systems PDF

Preview

Summary

False Positives in Intrusion Detection Systems Ganta Jacob Víctor1 , Sreenivasa Rao Meda2, V CH Venkaiah3 1 IT & C Dept., Govt. of A P, Secretariat, Hyderabad, India 2 SIT, JNTH University, Hyderabad, India 3 CRRao Advanced Institute of Mathematics, Statistics and Computer Science, University of...

Description

False Positives in Intrusion Detection Systems Ganta Jacob Víctor1 , Sreenivasa Rao Meda2, V CH Venkaiah3 1

IT & C Dept., Govt. of A P, Secretariat, Hyderabad, India 2 SIT, JNTH University, Hyderabad, India 3 CRRao Advanced Institute of Mathematics, Statistics and Computer Science, University of Hyderabad Campus, Gachibowli, Hyderabad. 1 [email protected] 2 [email protected] 3 [email protected] Abstract— The Intrusion Detection Systems (IDS) are installed to alert / prevent suspicious traffic/activity on IT infrastructure. Anomaly profile is the basis of intruder detection in snort model. When profile parameters are partially matched with attack patterns, the IDS may output false positive or false negative. The present work is focused on functionality of Snort IDS to keep the false positives at minimum permission level. Customization of IDS for efficient administration is explored and the experimental results are presented with reference to an organizational structure. Continuous monitoring of all types of alerts and there by evolving a judgment for improving security is the major concern in the proposed model. Keywords— Port Scan; Fire wall; vulnerabilities; Security; Pass; Signature.

I. INTRODUCTION Internet, mobile technologies, Computers became part of day-today life. As reliance on connectivity for computing and sharing of data is mandatory, computers, storage devices and mobile devices are connected to Internet. The IT installations, confidential data are susceptible to cyber attacks. To address the challenging threats, various security tools like Antiviruses, Firewalls, Intrusion Detection / Prevention Systems are being deployed. With new attack methods with fast computing environments, Simon Edwards [1] (2002) states that new vulnerabilities are being identified everyday; the security mechanism has to be updated as frequently as possible. False Positives will occur, if stringent rules are enabled to increase security to reduce false negatives. Rafeeq Ur Rehman proposed Intrusion detection [2] techniques, which are the last line of defense against computer attacks behind secure network. Attacks against IT infrastructure are successful despite installation of intrusion prevention models, because o1f poorly configured software or buggy software. Denning (1986) presented first IDS with six components such as Subjects, objects, Audit records, profiles, anomaly records and activity rules. Steven J. Scott, (2002) proposed Threat Management System [3] consists of Devices, aggregation, correlation, analysis and alarm.

Intrusion detection systems are designed and supplied by vendors and the security administrator configures IDS to fit in the environment. The IDS throws alarms depending on the posterior/pre-analysis of the traffic. The Network /Security Administrators have to examine every alert and notes that most of alerts are diagnosed to be false positives. High numbers of alerts dilute the concentration of Network /Security administrators on serious alerts, time and effort is wasted on false positives. This work is taken up to save the time and effort of the Network /Security administrator, by way of minimizing false positives while customizing to environment with additional functionality. II.

INTRUSION DETECTION SYSTEM

The open source Snort is used to experimenting. In snort IDS, threat identification is based on signatures and rules or anomalies of each and every attack and their variants. Hence, each attack, and its variants is identified, analyzed, signature will be prepared and deployed. If the process of remediation is uncoordinated among multiple Variant signatures, and creates an ever-increasing number of signatures, producing more alerts, may be false positives. Like industry standard IDS, Snort also able to identify malicious code by Common Vulnerabilities and Exposures (CVE) ID [4] or other equivalent identifier. IDS generally do not have the intelligence to determine, if any of the machines on the network are susceptible to an attack with CVE ID, or if any machine has a specific vulnerability to that attack, or if targeted vulnerability has already been patched. IDS have been studied for more than 28 years since Anderson‟s [5] (1980) report. It is concept that an intruder‟s behavior will be different from that of a legitimate user and that actions can be detectable. As per Peng Ning[6] (2005) Intrusion detection systems (IDSs) are usually deployed along with other preventive security mechanisms, such as access control and authentication, as a second line of defense

that protects information systems. IDS architecture consists of various layers. The traffic (Packets) is acquired from the network are passed through layers of decoder routines. Each preprocessor checks and then sent through the detection engine. The detection engine checks each packet against various options listed in the Snort rules files. Content, flow, flow-bits, pcre, byte-test, bytejump are the functions for matching.

Stefano Zanero (2007)8 classified based on concept of processing - Intrusion Detection Systems are divided in two categories: misuse detection or anomaly detection. IDS based on Anomaly detection create behavior model for the monitored infrastructure including its users. Any deviation from „normal‟ behavior, beyond defined thresholds, marks the action as suspicious. Alternately, a set of signatures stored in a knowledgebase will be used by misuse detection IDS to identify intrusion attempts. Summary of differences between strengths and weaknesses of the two approaches is shown in Table 1.

Figure 1. The basic flow of the IDS

The network IDS will do packet analysis to detect the intrusions. The first process is decoding each packet. The decoder will identify the protocols used in the packet like TCP, ICMP, Ethernet, UDP, IP. The Protocol information and the location of the payload in the packet, and size of payload will be saved for use by preprocessor and detection engines. If configured, the decoder opens packet headers, examine for errors or anomalies in header fields and output an alert or drop the packet. For example, the protocol field indicates IPv4 and the size is less than 20 bytes, the minimum length for an IPv4 header, IDS will generate an alert and drop the packet, with alert. In Snort IDS, “Performance Monitor preprocessor measure performance and turns on event reporting and prints out statistics as to the number of signatures that were matched by the set wise pattern matcher (non-qualified events) and the number of those matches that were verified with the signature flags (qualified events). This shows the user if there is a problem with the rule set that they are running”. III.

CLASSIFICATION OF IDS

William Stallings (2003) classified7 IDSs based on various parameters. The Standard models are Rule-based Detections and Statistical Anomaly Detection. Statistical anomaly detection systems are grouped into Profile based detections and threshold detection.

Figure 2 IDS classification

The other classification is based on source of data to be analyzed / examined by IDS, in Network-based Intrusion Detection System (nIDS) the audited data is collected from the network. In Host-based Intrusion Detection System (HIDS) the audited data is collected from the host itself. These two models reflect different type of deployment. The nIDS are further grouped in to two types first type is built-in signatures or Static, and the second type is state-full Dynamic signatures. Table 1: Differences in anomaly based & misuse based IDSs

Misuse Based Continuous updates required No initial training Needs tuning as per environment

Anomaly Based No updates required training is required Tuning is a part of training itself Novel attacks Cannot be detected Detect any novel attacks Accurate alerts Vague alerts Very few false positives Huge numbers of false positives Raise a Number of non Nil contextual alerts Easy to design difficult to design

The HIDS are two categories OS-specific and application specific. Host IDS depend on data drawn from operating

system of host being the monitored and controls that machine alone or a single application on the host. Stego Intrusion Detection System (SIDS): The other type of Intrusion is in the way of stego communication. Steganalysis is required process to discover any occurrence of stego content in data or media to prevent stego Intrusions. Steganalysis is an inaccurate discipline, and steganalysis output a number in a given range to indicate the probability that stego was actually used in communication file. Michael Sieffert (2004)9 et al states that Programs to hide steganographic content in common file types are freely and readily available and resulting in stegano attacks. Steganographic Intrusion Detection System shall be deployed to address stegano attacks. IDS based on Neural network: Daejoon Joo 10 et al states that Neural networks can capture the relation-ships better to statistical models, nonlinear relationships are better in data capture. There is no need to build any rules with logical conditions by developers. In an environment, construction of rules is difficult, a neural network is best suit. Comparison of Database IDS versus Network IDS In the beginning, security experts felt Intrusions are from external source and Detection was performed at the network entrance to secure perimeter with a concentration on detecting behavioral anomalies or signatures based anomalies. To safeguard a network deploying the network IDS / IPS is important, however Joshua Shaul11 (2004) says that NIDS will not assure complete protection as intrusions are also from internal source with specifically targeted on DBMS. To address internal Intrusions on database servers, Database IDS system shall be attached to monitor relevant traffic only on that server. Database IDS will be built on specific knowledge of respective DBMS to sense potential attacks and flag. The Host (Database) IDS and Network IDS/IPS are not different technologies, which independently can serve protection in the targeted area, both technologies to be implemented together to get effective protection of IT resources. Host IDS detect privilege escalations, attacks originating from a Web Application front end, access to sensitive Operating System resources, buffer overflows, Database IDS can detect malicious SQL statements, data theft, attempts to steal user passwords, SQL injection and attacks of cross-site scripting. IV. RELATED WORK To eliminate false positives, all possible threats must be listed and made available in the IDS [snort], therefore no behavior or signature mismatches, thereby no partial

matches. No false negatives or false positives. However, it is not possible to list all feasible threats therefore alternate methods are necessary to address this problem. When an "attack" packet is identified, the IDS will perform a crossreference against the targeted host information to determine if the target host is vulnerable. If the target host is deemed "not vulnerable," the IDS may log the notification for forensic purposes but would visually suppress the alert. The result is that the security administrator only deals with "potent" alerts for which the host is actually vulnerable. Andre Yee12 (2004), states that IDS, have long been recognized as a necessary component of a multilayered security architecture. The effectiveness of intrusion detection limited by the need to process a large number of alert notifications, many of which are either incorrect or irrelevant. New Network IDS products are appearing that help to tackle the false-positive problem with a smarter detection engine with key technologies: operating system fingerprinting, alertflood suppression and meta-alert correlation etc. Passive OS fingerprinting: A false positive occurs when they are notified in a nonvulnerable scenario. These scenarios exist because most network IDSs don't take the host vulnerability profile into account when detecting for attacks. For example, a Windows remote procedure call attack will be flagged as an alert even if there are only Linux machines on the network. The key to reducing false positives in this scenario is to provide contextbased alerting, in which host information is incorporated into the detection framework. Passive Operating system fingerprinting determines the target host operating system based on matching IP and TCP header parameters with those of known systems. A database of host profile information is constructed and used in the detection engine. Meta-alert correlation: Meta alerts are generated by the correlation of two or more alerts, possibly from different sensors. Meta-alert correlation rules are defined in the IDS by the security administrator to enable the generation of a higher-priority alert whenever certain conditions related to lower-level alerts are fulfilled. Scans coming from the same source IP address with increasing rate may indicate escalating activity with greater penetration and hence would necessitate a higher-priority alert. If meta-alert correlation wasn't enabled, each of these host scans might be viewed as discrete activities and possibly dismissed as insignificant and treated as false positives. Network quarantine channels (NQC): The intelligent strategies for reduction of false positives and infrastructure protection involving an approach using

adaptive responses from firewall rule sets in a novel “network quarantine channels[13]” (NQC) proposed by Emmanuel Hooper(2006), using firewall architectures. The model is a combination of firewall architecture and rules to respond to suspicious hosts and Denial of access to critical segments of the network infrastructure. Hybrid Intrusion Detection: Kai Hwang (2004), MinCai, Ying Chen and Min Qin proposed hybrid model. The hybrid IDS system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of Anomaly Detection System (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature [14] generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. V. PROPOSED MODEL Stephen Northcutt [15] & Judy Novak (2003) states that the behavior is not analyzed the stimulus & responses, SYN floods etc. The main reasons for the wrong interpretation is the rules are configured so. The best way to secure the infrastructure and to get rid of the false positives is review the configurations and update the security patches and update the behavior signatures. False positive: False positive is classification of an action as anomalous when it is legitimate. Intrusion is an activity that violates security policy. Most current network intrusion detection systems have very high rate of false positives, as they cannot yet make wise decisions on whether the traffic coming across a given network is harmful or innocuous. A false positive is another way of saying „mistake‟. A false positive occurs when the IDS program mistakenly flags an innocent behavior. This may seem harmless enough, but false positives can be costly nuisance leading to non-availability or dropping a connection leading to lose productivity due to downtime. In our application we consider the alerts which are partially matched as false positives. False Negative: The act of not detecting an intrusion when the observed event is illegal is defined as false negatives. In other words false negative is an actual misuse action that the system allows to pass.

VI. EXPERIMENTAL WORK To experimental environment was implemented on a largest Campus Area Network spread over multiple buildings, which is designed to connect 2000 nodes on the network. The connectivity between blocks was with fiber optic cables. 2000 users regularly use the network. Within a Block every floors is connected on floor switch and then to distribution switches. The total system is connected with 30 Mbps internet for providing various online applications. The services offered include Internet, Web portals, application services, E-mail and RAS. The various security tools like content filter, Firewalls, NIDS, anti-spam, Antivirus are installed. Though the network is spread over all blocks, the traffic is captured at only one building. Based on the analysis of the alarms in the proposed model, the experimental IDS was hosted behind the firewall. The regular authentication process is based on the domain login/password. All users has to login to access the services. Based on the role the proxy was assigned. The Snort[16] (Version 2.6) Intrusion detection systems was installed for obtaining Network Specific Useful Alarms, WinPcap[17] (Version 4.0) to collect the packets in promiscuous mode and MySql[18] (Version 4.0.25) for store and process the data. The Snort IDS was installed and the alerts are observed for a period of time with slight changes in configuration. The alert logs are analyzed and the case alert. On analysis of trends of the alerts, few cases where false positives are very high. Most of the administrators think that a pile of false positives is preferable, and can turn off what they don‟t want. This attitude result into bad configuration and Snort will issue more false positive alerts. Neelakakantan [19] says network intrusion detection systems must process a lot of network data in a short time, these systems require a good deal of processing power, high RAM and much hard drive space to log information for any Signature Based Intrusion-Detection systems. Proposed Model: The network Intrusion Detection System (NIDS) will identify, attackers while they are trying to expose vulnerable in the services offered by the network. NIDS will respond to the attack by giving an alert to take action. The level of security defined in security policy of institution / organization is important while deciding model to reduce false positive alarms.

Risk reduction is the objective of the IDS. The strategy for reduction of false alarm is to analyze alarm cases and quantify risk associated with alerts. The industry standard formula can be used to quantify risk. The risk is equivalent to Single Loss Expectancy (SLE), quantify the potential loss if a security breach occur. The SLE can be expressed as formula: SLE = (Asset Value x Exposure Factor) Where, 'Asset Value' is the monetary value of the asset that damaged or not available because of intrusion. 'Exposure Factor‟ is the percentage of the value of the asset lost because of the intrusion. Alternately the organization can use the other model where risk is computed as threat multiplied by exposure. IDS alert can be classified into three types of attacks: (i) sweeps, automated scans and Port scans (2) Denial of service (DOS) attacks and (3) compromises or Service attacks. The first category sweeps and Scans will not result into immediate loss. These are indication for an a serious attack and do not cost the organization in the form of down time, Hence, the threat level is minimum. The second category DOS attacks will make loss to organization. However, the process will not last for long period, hence threat is medium. The lost category attacks on service and compromises will damage organization business prospects hence, treated as higher threat. Based on the risk aversion model adopted by organization, IDS can be customized to reduce risk by reducing factor of exposure or reduce threat level. To implement the model, determine the environment to adopt strategy to reduce false positives, by examine whether exposure or threat. As indicated above, service compromises will have highest monetary loss among three attacks types. To quantify, a parameter called Attack Accuracy Level (AAL) which scores or number of attempts required to expose existing vulnerabilities. If designed to fit to environment, to reflect weighted service...