8
Building Intrusion Pattern Miner for Snort Network Intrusion Detection System Lih-Chyau Wuu, Sout-Fong Chen Department of Electronic Engineering National Yunlin University of Science an d Technology, Taiwan, R.O.C. E-mail [email protected] ABSTRACT In this paper, we propose o ramework f o r Snon network-based inrrusion detection system f o make if have the ability o f nor only arching n e w ottock parrerns uuromotically, bur also defecting sequential arr ack behaviors. To do rhat, wefirst build an Intrusion Parrern Discoveq Module r o find single intnrsion an d sequenrial inrrusion patferns from a collecrion o f atrock packers i n off-line rroining phase. Th e module applies dot" mining rechniqur io exlmcf descriprive ottock signarures from large stores o f pockets, and rhen it convem rke signofwes to Snort detection rulesfor on-line derecrion. In order I o defecf sequential intrusion behavior, rhe Snorr detection engine is accompanied wirh our Intrusion Behavior Derecrion Engine. When a series o f incoming packers march rhe signamyes represenling sequential intrusion scenariou, Inbusion Behavior Derecrion Engine will make on alert. Keywords: Nctwork-based Intrusion Detection, Data Mining, Misuse Dctection, Intrusion Pattern, Snort NIDS. 1. Network security is becoming incrcasingly important since computers have been networked together. Intrusion dctcction [I-21 is one of the tools to provide protcction to your computcr networks. Thew are two typcs of intrusion dctection: network-based systems and host-based systems. Nctwark-bascd intrusion detection systems (NIDS) [3] are placed on thc nctwork lo monitor thc nctwork traffic and detect packets from the intruder. As for host-based intrusion detection systems (HIDS) [4-61, they ru n on the Syst Cms being monitored t o analyze the command s and detect any suspicious activity . Intrusion detection techniqucs [I-21 can be categorized into misuse detection and anomaly detection. Misuse detection uses panern of well-known attacks to identify intrusions and it is unable to detect any fuhlre intrusi ons that h a w no known patter ns. Anomaly detection firstly cstablishcs normal usage pancrns using statistical measures on system features, and then tries to dctcrminc whethcr deviation from the established normal usage patterns. Snort 171 is an open sourcc nctwork intrusion dctection systcm, capablc of performing rcal-time traffic analysis and packet logging on I P nctworks. However, Snort cannot generate intrusion pattern automatically. It means that experts must first anal yze and categorize anack packets and hand-code the corresponding panerns and rules for misuse detection. Ailcr that, system administrators configurc Snort detection rules manually to the network intrusion detection system. This rcsults in Snort having limited extensibility and adaptability. In this paper, w e enhance the functionality of Snort by adding an Intrusion Pattern Discovery Module and an Intrusion Behavior Dctection Engine to the original Snort system. That not only makes Snort to minc single and sequential intrusion panerns automatically, but also extcnds the dctccting ability o f Snort. 2. SYSTEM ARCHITECTURE O ur system proceeds in two phases: Off-line /mining and On-line elecring. 2.1 Off-line training phase Figure I illustrates that o u r system in off-linc training phase consists of attacking hosts, victim hosts and a host with Snort softwarc and ou r lnrrusion Panem Discove~ odule. W c use Sniffcr module of Snort to catch the packets from the attacking hosts, and store thosc packets on MySQL database [SI. The Intrusion Pattern Discovery Module has two miners: single htNSi0" pattern miner and sequential intrusion pattern miner. The miners applies data mining technique [9-15] to extract dcscriptivc attack signatures from packets stored in MySQL databasc, and then converts the signatures to Snort NICS used in on-line detecting phase. Figure 1: The system structure of off-line training 47 7 -7803-7882-2/03/$17.0002003 EE E

Building Intrusion Pattern for Snort IDS

Embed Size (px)

Citation preview

Page 1: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 1/8

Page 2: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 2/8

Page 3: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 3/8

Page 4: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 4/8

Page 5: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 5/8

Page 6: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 6/8

Page 7: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 7/8

Page 8: Building Intrusion Pattern for Snort IDS

8/7/2019 Building Intrusion Pattern for Snort IDS

http://slidepdf.com/reader/full/building-intrusion-pattern-for-snort-ids 8/8