Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion Traffic Patterns Using OPNET Mian Zhou, Sheau-Dong Lang University of Central Florida

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Outline  Simulation of network intrusion scenarios.  Testing a frequency-based intrusion detection strategy.  Studying the effects of transmission delays on our detection strategy.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security  Use OPNET to simulate intrusion scenarios by replaying the network traffic.  Traffic data sources. The publicly available datasets from MIT Lincoln lab. Self-generated attack traffic.  Attack tools: Nmap, Battle  Sniffer: Ethereal Our Approach to Intrusion Simulation

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Simulation using OPNET Network domainNode domain Process domainC code for a process node

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security  Process the TCPDUMP data.  The packet inter-arrival times.  The traffic duration.  A list of the distinct IP addresses in the traffic source.  Build a network model with the end nodes corresponding to the extracted IP addresses. Pre-processing Traffic Data

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The attribute panel of the packet generator, with scripted packet inter-arrival times calculated from pre-processing the source data Packet format: Drop the payload of original packets but retain the IP header information including IP address, port number, packet size, time stamp, flags, etc. OPNET Model — Packet Generator

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Data Source: 1999 Lincoln Week 5 outside data DOS attack: ProcessTable (a) Number of distinct port connections to a victim.(b) Data traffic to Port 25 of the victim PC. Two Sample Outputs from Simulation of the ProcessTable attack

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Frequency-based Intrusion Detection  Observation: Certain network attacks are executed by running pre-written scripts which automate the process of connecting to various ports, sending packets with fabricated payloads, etc.  Frequency-based intrusion detection. Use Discrete Fourier Transform (DFT) to identify periodicity patterns.  Where to find the periodicity patterns. The time series of packets’ inter-arrival times. The time series of packet arrival rates. The size distribution of packet payloads.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Variance analysis Data sequence for each connection Traffic data Parse New connection history Generate the time-series data Average variance of packet size for each connection Compare with a threshold value Report attacks DFT Pass the trusty Connections Data sequence for multiple connections Global frequency pattern Local frequency pattern Overall Detection Strategy new connections

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Frequency Extraction by Discrete Fourier Transform (DFT) Expanding the right-hand side yields Using the Fast Fourier Transformation (FFT) procedure, the frequency data F(k) can be computed in O(N logN) time. For a given data sequence s(n) where n  0 is a discrete value representing the time, its DFT coefficients F(k) are defined as follows 0  k  N –1, N is the length of s(n)

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Detection Results: the ProcessTable Attack Frequency patterns extracted by DFT on inter-arrival times of six connections. Connections 2 and 4 show periodicity patterns. The traffic of connection 2 is the ProcessTable attack; connection 4 is a Probe attack, which probes the target’s ports ranging from 1794 to

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Detection Results: the Dictionary Attack Frequency patterns on inter-arrival times of six connections for the Dictionary attack. Connection 2 shows the password guessing (dictionary) attack

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Detection Results: the sshProcessTable Attack Frequency patterns of the rates of packet arrivals of six connections for the sshProccessTable attack. Connection 2 contains the attack traffic Frequency patterns of inter-arrival times for six connections, Connection 2 shows the attack traffic.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The Effect of Transmission Delays on Frequency patterns The spectrum (frequency patterns) of three time series data, where the original data values  [0.002, 0.5]. (a)The spectrum of the original data series X(t). (b)The spectrum of the X(t) + exp(0.5) (exponentially distributed delay with mean value 0.5 seconds) (c)The spectrum of the X(t) + exp(5). (a)(b)(c)

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Transmission delay in LANs A simple LAN, in which the web client sends the traffic to three servers. We collected the inter-arrival times of the traffic to the main server. The profile configuration panel

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The Effect of Transmission Delays The inter-arrival times and frequency patterns collected: (a) at the sender (the web client); (b) at the receiver (the main server). (a) (b) Frequency patterns collected at the main server, when other types of explicit traffic loads are added to the web client traffic.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Transmission Delays in WANs A WAN, in which the site Dublin sends traffic to site London through an Internet cloud. Other types of traffic such as and ftp are created by the other 5 nodes and coexisted with the custom traffic from Dublin. The configuration panel for the Internet cloud, where we specify the statistical distribution of the packet latency caused by traversing the Internet. The packet delivery process of the custom traffic is controlled by scripted packet time intervals.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The Effect of Transmission Delays in WANs Frequency patterns of the packet inter-arrival times with different Internet transmission delays. The distributions for transmission delay include constant, uniform, and exponential. Frequency patterns of the packet inter-arrival times with exponentially distributed transmission delays. The spectrum starts to deviate from the original as the mean value increases.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Conclusions  Frequency-based intrusion detection  Detects anomalous traffic behaviors (that contain periodicity patterns)  Improves the effectiveness of signature-based intrusion detection systems when combined with other simple statistical features of the traffic data.  Needs measures to counter attacks with randomized script.  limited to the attacks with relatively long duration and heavy load.  Transmission delay on frequency patterns  Frequency patterns will not be affected by near constant transmission delay.  Frequency patterns persist in LANs.  In WANs, further studies on packet latency required.