The Development of Network Intrusion Detection Systems - Research Paper Example

Assessment Networking and IT field The research article that is critically reviewed here is “An Empirical Analysis of NATE - Network Analysis of Anomalous Traffic Events”, authored by Carol Taylor and Jim Alves. (Taylor & Alves-Foss, 2002) Aim of the research The research paper is aimed at validating an approach against actual real time data – an approach that addresses two major issues that have been left unattended in the development of network Intrusion Detection Systems (IDS) by previous researchers. The issues are: Minimizing the high time constraints in performing the IDS operations. Improving the efficiency of the IDS in high speed network traffic systems. Although, their previous research done using NATE (Network Analysis of Anomalous Traffic Events) was successful in addressing these issues, the data set that they used to obtain the results, the MIT Lincoln Labs data set, was found to be filled with incorrect data and hence, the objective of the current paper is to obtain the same results with the actual data. (Lippmann, R. & Zissman, M. 1998) In addition, similar statistics of relevant alternative methods are also been discussed to give a comparative analysis. The method they have chosen, NATE, is based on anomaly-based approach instead of the traditional signature based approach. Purpose of this research With the exponential improvements shown in technology and the rapid appreciation of cloud computing techniques across several parts of the world, the world is moving towards an interconnected system of networks where the exchange of information has become easily feasible just like standalone systems. Such scenarios have also given rise to a window of opportunities for intruders to get across the security systems. In such a scenario, there is a great need for highly active and extremely fast processing detection systems. Thus, the authors’ attempt at gaining an upper hand in developing such systems with right objectives is peremptory. Literature Review The research paper deals with the problems in Network Security domain, specialized in the development of Intrusion Detection Systems. There have been several researches done on the same subject by various researchers and the below paragraphs explains some of the current trends in such research activities related to the objectives of this research. The anomaly based detection techniques that have been used over the past are given an overview in the paper, explaining its evolution from identifying anomalies just by monitoring the usage pattern of the user and followed by a system that combined the statistics and rules governing network traffic. Finally, the Nides system was introduced, which standardised the groundwork for a basic Intrusion Detection System. (Wu, et. al., 1999) The paper also includes an analysis of research results that classified the types of intrusion through the development of a classification tree. (Chapple, 2000) Several other techniques were followed up like the conditional probability technique, multivariate grouping technique and cluster analysis. (Eskin, E. et. al, 2000) The cluster analysis was the only one most similar in technique to the current approach in discussion but the authors are of the opinion that the other approach would fail in adverse network conditions. (Portnoy, L.2000) The paper just gives a mention about these techniques as to mention that these are the current research techniques and there are no detailed examinations about it. Another approach was proposed by Sekar et. al (1999), that follows the same anomaly based technique and that deals with the high performance related issues of the Intrusion Detection Systems, time constraints being one of them. They have used techniques which include efficient pattern-matching algorithms combined with real time checking of the systems in both static and dynamic conditions. Ke wang and Slavatore (2004) have also developed a network IDS - anomaly- based but work on the payloads of the packet whereas the system under consideration works based on the header information of the packets. Research Method – Tools and Techniques The research undertaken here is to test the validity of NATE with actual data. NATE is specialized to perform well in high speed network traffic systems with minimal time. The reason for its high performance in comparison with other ID systems is due to two factors: It takes minimal number of attributes (TCP flags and bytes transferred) to detect an attack (Taylor , 2001) It acts only on the header information of each packet while other techniques work on the payloads. The major disadvantage of checking only on the header information is that intrusions done at the application level can never be detected. Several techniques have been used to develop NATE which are summarised below Cluster analysis This technique is used to identify the normal state of the network by clustering the total number of packets that are sent and received in the network. Although the probability of getting the actual state of the network is high, there is every possibility for it to go wrong too. There are several external attributes like user information, purpose of usage etc. (Taylor , 2001) that could hinder the chances of getting the correct nature of the network. Sampling Strategy In order to analyse the data, the sampling strategy is used. Two types of sampling strategies are discussed in the research. In TCP type sampling, equal numbers of packet sets were used for analysis for each TCP type in order to get a full picture of the network traffic. (Vaccaro & Liepins, 1989) However, there is a probable opportunity where the range of the network traffic according to the TCP types may not be obtained as there is no variation in packets set of each type. The second type of sampling strategy is the attribute distribution sampling. (Taylor , 2001) This technique is based on the most varying attribute and based on twice its standard deviation, the entire TCP packets are divided into two groups which are further divided into equal sample sets. This strategy succeeded in providing the full network picture because of the lack clustering in TCP packets based on its type. Distance measures Mahalanobis distance technique was used to identify the difference between a normal cluster and an anomalous one. The important advantage of using this technique is that offers additional validity to the result by including information about the correlations that are present in a sample of data and also being multivariate. ( Allen et al., 2000). Research process The research process involved setting up a small network where only web related and mail sending options were set open. With the presence of firewall, only a predetermined set of protocol packets were analysed thus allowing control of the information being transported. Using a sniffer, Blackhole, the data was collected which contained both normal and anomalous packets. (Debar, Dacier, Wespi, 1999) Identification of anomalies from this set was done by classifying them into two sections. One being simple scan and probe data and the other being the Denial of Service attack where the requests fill up the stack with duplicate information. Both sets of anomalous data were collected using screening of flag techniques and outlier removal process respectively. (Paxon, 1994) The critical aspect of this method was the manual configuration of the firewall which was designed to allow only specific kind of packets into the network. This questions the scalability of the method to different kinds of packets. Also, there is no mention of the speed of the traffic which could provide a better insight into the research process. Research outcome With the restriction placed on the type of packets and in a controlled environment, the approach has proven that anomalies such as probes and denial of service attacks can be easily distinguished from the normal packets in a high traffic network system. The initial contradiction between the sampling techniques allows an opportunity for further research on the types of attributes of a TCP packet that can be taken into consideration for sampling. It also indicates that there is no need for sampling, done based on the type of TCP. Similarly with the distance measure techniques, there is a possibility for randomness in normal distribution and hence an inaccurate analysis of data. So, comparison of the results from other techniques using the same set of data is a future area of study. Also, there are further research options available where the current setup can be tested by sending in various types of packet, especially the variations in ‘ssh’ and ‘https’ types of packet. (Vaccaro & Liepins, 1989) The chosen research article, its aim, current research trends in its domain, research method, research outcomes and future research options have been discussed. References Taylor C. & Alves-Foss, 2002 An Empirical Analysis of NATE – Network Analysis of Anomalous Traffic Events, New Security Paradigms Workshop’02. Lippmann, R. & Zissman, M. Intrusion detection technical evaluation - 1998 project summary. [online]. Available at: http://www.darpa.mit/ito. [accessed 28 Feb, 2011] Taylor C. 2001. NATE-Network Analysis of Anomalous Traffic Events - A Low-cost Approach. Masters Thesis. J. Allen et al.2000. State of the practice intrusion detection technologies. Carnegie Mellon, SEI, Tech Report. Chapple, M.J. 2000. Network intrusion detection utilizing classification trees. Masters Thesis, Computer Science Department, University of Idaho, 2000. H. Debar, M. Dacier, A. Wespi. 1999. Towards a taxonomy of intrusion detection systems. Computer Networka, 31: pp. 805-822. Paxon, V. Empirically derived analytic models of wide area TCP connections. IEEE Transactions on Networking, 2(4). 1994. Vaccaro & Liepins. 1989. Detection of anomalous computer session activity. In Proceedings of the 1989 IEEE Syrup. on Sec. and Privacy. Pp. 280-289 Wu, et. al. 1999. Design and implementation of a scalable intrusion detection system for the OSPF routing protocol. [Online] Available at: www.anr.mcnc.org [accessed 28 Feb. 2011] Eskin, E. et. al.2000. Adaptive model generation of intrusion detection. In Proceedings of the ACM CCS Workahop on Intrusion Detection and Prevention. Athens, Greece. Portnoy, L. Intrusion detection with unlabelled data using clustering. Undergraduate Thesis. Columbia University, Dept. of Computer Science, 2000. Sekar et. al.1999.,A high-performance network intrusion detection system,Proceedings of the 6th ACM conference on Computer and communications security,8-17 Wang, S. & Salvatore J. 2004. Anomalous Payload-Based Network Intrusion Detection. Recent Advances in Intrusion Detection. Lecture Notes in Computer Science. 3224: 203-222. Read More