Research on Distributed Intrusion Detection System Based on Protocol Analysis

Xiaohong Qu1,2,3
1. Key Laboratory of Information and Computing Science of Guizhou Province , Guizhou Normal University Guiyang , China qxh800722@163.com liuzj@gznu.edu.cn (corresponding author:Zhijie Liu)
AbstractIntrusion Detection System is a new safeguard technology for system security after traditional technologies,such as firewall,message encryption and so on. To intrusion detection system,it makes improving efficiency of intrusion detection by choosing better method of intrusion detection,traditional intrusion detection system because of large amount of calculation,the high rate of omissions and misstatem tmts has not already adapted to the needs of the current network system Protocol analysis is a kind of key technology for network intrusion detection.The paper which based on that idea will presents a distributed intrusion detection system model based on protocol analysis, it makes processing work very simple using protocol analysis technology in detection module. Compared with other model,the model has obvious advantage by analysing, and it can decrease the rate of FN and enhance the capability of system. Keywords-Protocol Analysis;Distributed;Intrusion Detection System; NetworkSecurity

Zhijie Liu*1 , Xiaoyao Xie1 , Member , IEEE

2. School of Education Technology and Science Shanxi Datong University Shanxi , China 3. School of Mathematics & Computer Science Guizhou Normal University Guiyang , China has come into being. Such a structure through a decentralized collection, distributed processing and centralized management meet the needs of security of large-scale and high-speed network. Distributed Intrusion Detection System plays a very important role at distributed, diversified, multi-service, multiapplication, multi-user network of the modern construction of the information security[3]. II. PROTOCOL ANALYSIS TECHNOLOGY

I.

INTRODUCTION

With the rapid development of computer technology and network technology, network security become more important for the aim of protects network information from variety kind of attack. [1]In order to enable the network from a variety of possible abuse, the use of only a single feather firewall can not meet the requirements, but also needs real-time monitoring on networks, as far as possible to attack the intrusion before the attack happens [2]. Intrusion Detection System is developed and grew up against this background. As a new active security-defensive mechanism,Intursion Detection System can provide the host and network dynamic protection, it can not only monitor the implementation of internal network attacks, external attacks and disoperation of the real-time protection, but also in combination with other network security products to protect the network in full range. The characteristics of real-time and initiative are important complement to the firewall. Today, in the overall network security solutions, intrusion detection has become an indispensable component. However, with the continuous expansion of network scale and the complexity of the means of attack, Distributed Intrusion Detection System

Intrusion Detection System early detection technology are misuse detection technology and anomaly detection technology commonly used. Misuse detection technology is based on the known methods of intrusion attacks to match and identify attacks. This detection technique commonly used is a simple pattern-matching technology. It is characterized by simple, good scalability, detection efficiency, and can be detected, but only applied to relatively simple attacks, and high false alarm rate. Although simple pattern-matching on performance is a big problem, because system implementation, configuration, maintenance is very convenient, it is widely used. Anomaly detection system is user's normal pre-stored patterns of behavior, but those inconsistent with normal behavior patterns of users on the case be considered aggression. Anomaly Detection Intrusion Detection System is the main research direction, which is characterized by abnormal behavior of the detection system and found that unknown attack patterns. The key question of the anomaly detection is the establishment of normal usage patterns and how to use the model to the current system /user behavior compared with the normal in order to judge the degree of deviation from the model. Using these two methods of IDS systems do not have the intelligence to determine the true intention of these models but finally the results of protocol analysis and the advantages are being here. Protocol analysis is the main technology means of new generation of IDS systems to detect attacks, which use a high degree of regularity corresponding to the reported location of the first protocol to analyze information only useful for detection of the intrusion detection field. Protocol decoding not only decodes on the bottom protocol, but also on the

application layer protocol decoding. Since protocol analysis technology guide the search packet clearly part of specific rather than the entire payload reducing the search space, they are able to improve the efficiency of intrusion detection. III. THE FUNDAMENTAL STRUCTURE OF PROTOCOL

IV.

DISTRIBUTED INTRUSION DETECTION SYSTEM MODEL BASED ON PROTOCOL ANALYSIS

Ethernet MAC frame format, there are two different standards, one is DIX Ethernet V2, and the other is the IEEE standard 802.3[4]. Ethernet V2 format is often used in current MAC frame, the upper protocol including IP, IPX, ARP, SNMP, NetBUI, its frame format as shown in TABLE .
TABLE I. SYN SFD DA ETHERNET FRAME FORMAT SA Type IP datagram FCS

A. Detector unit model The most important part of the system is the design and work patterns of the Detect Module based on the principle of the Protocol Analysis. It contains two parts: data capture module, protocol analysis module, and its structure as shown in Figure 1. The major role of data capture module is to capture data on the Internet, and then sent the data to the analysis part of the protocol, whose role is more simple and easy to achieve. Protocol analysis is the focus of this module, it will parse captured data, its working principle is as follows: from the Ethernet frame, get the Ethernet header, Ethernet header length is l4 byte, each of which is the 6-byte destination Ethernet address, 6-byte source Ethernet address and the 2-byte frame type components, the frame type gives data frame included in the protocol type, such as ARP, RARP, IP, IPX, etc. Their corresponding number of protocol: 0806, 8035, 0800, 8l37, one of ARP/RARP are data link protocol, and IP and IPX are network layer protocol,we have only the IP(0800) protocol for further analysis;Where there is no select items, IP header length is 20 bytes, the main contents include the following:source IP address, destination IP address, fragment flag and offset, and protocol type of IP load (length of one byte), the type of protocol within the IP packet indicate the protocol type of IP packet load, that is, TCP, UDP or ICMP, their corresponding number of protocol:6,17 and 1; In the transport layer, where there is no select items, TCP header length is 20 bytes, the main contents include source port, destination port, flag, serial number and ACK and so on, TCP header contains six flag: URG, SYN, ACK, FIN, RST, PSH, the six flags reflect the status of the TCP connection, such as TCP connection is always in communication through the exchange of SYN packets to the two sides to begin to create a new connection, and through the adoption of FIN , RST to terminate a connection, the packet types can be got according to the source port and destination port of TCP packet, such as TELNET port 23, EMAIL port 25 and so on; In the application layer, contains a lot of the protocol, we only analyze some daily applications, such as FTP, E-MAIL, TELNET, WWW and so on. After doing this protocol analysis, protocol analysis module extracts data packets from the application of the protocol of the protocol keyword, such as FTP at the package; you can extract the RETR (GET operation), STOR (PUT operation) and other protocol keywords[6]. Comparing detector modules at the top of these keywords, we will be able to determine whether there is network intrusion happened [7] . B. Distributed Intrusion Detection System Model Although the Intrusion Detection System can identify nonauthorized use, abuse or computer and network systems of misuse, as the intrusion has become more and more complex, individual intrusion detection system has been unable to deal with complex security issues. So putting a number of intrusion detection system agent on the network, setting up a process

A. IP datagram In the transmission protocol, TCP, UDP, ICMP, IGMP data are based on IP data transmission format, IP datagram is divided into IP header and IP data. IP header contains the version, header length,service type,TL,identifier,flag, fragment offset, TTL, type, header checksum, source IP address, destination IP address. Reference TABLE .[5,10].
TABLE II. 0 Version 4 Header length identifier TTL type 8 Service type flag IP DATAGRAM FORMAT 16 19 24 TL Fragment offset 31

Header checksum Source IP address Destination IP address IP options data fill

Protocol field accounted for 8 bit; field values indicate that the data of this protocol IP datagram carries is which kind use of protocol, such as protocol field value of 6, indicating that part of their data using a TCP protocol. B. TCP datagram Transmission Control Protocol is a reliable connectionoriented transmission service, which is transmitted by segments, and a conversation must be built when exchange data. It is using the communication of bit stream, that is, unstructured data as byte stream. Each TCP transmitted sequence number is specified, for reliability, TCP datagram is divided into TCP header and TCP data. The header contains the source port, destination port, serial number, confirmation number and so on[5,10].

module to deal with the keyword data carriered from intrusion detection system agent, doing comprehensive analysis, to determine whether the attack happens,this is the Distributed Intrusion Detection System. This system is divided into Detect Module, Process Module and Response Module, the relationship between the various modules shown in Figure 1.

A. System structure is simple. The system consists of three modules:Detect Module, Process Module and Response Module. This makes data transmission between the modules do not need too much middle layer, enhance the transfer rate between the modules. At this point the flow of large data networks, intrusion detection has great advantages. When there is more data traffic on the network, undetected rate of general intrusion detection systems will increase sharply, which give a hacker an opportunity, which can be taken in some way to send a large number of flooded packets littering the network, at this time if there is some delays of detected part and processed part or the matching time is too long between the rule base processed and the data sent, then there is a large part of the data will certainly not be detected, the hackers can mix intrusion data packets with litter data packages falling through the openings in the packet, so as to achieve their sinister purposes. This model uses high-speed link, which greatly improve the data transmission speed. B. Detected speed is fast. In the Detect Module part, we extract only the important characteristics of packet into Process Module to process. Its length is often only a small percentage of the length of all the data packets, not only saves resources of detection part, but also in the unit time greatly improves the characteristics of the packet transmission rate when transmitted. Because the rule base of the central part is constituted by the characteristics of these intrusion data, but also saves resources of Process Module. And the strings of characteristics is short, so the matching speed can be greatly enhanced, even if there is a lot of data that need to be processed at the same time, the system can also achieve matching tasks, detect intrusion timely, enhance the detection rate. VI. CONCLUSION

Figure 1. Model of Distributed Intrusion Detection System

In this model, Internet data on the Detect Module and the Process Module can arrives at a user computer after the detection. After the network intrusion detection Process Module set the signal of the intrusion to Response Module to alarm the user. Each detection module is a micro-data analysis system; they will get through the analysis of data reported through the High speed link to send to process module. In the Response Module to determine whether there is intrusion. Detect Module and Process Module make up a complete intrusion detection system. Process Module contains a rule base, there is the keyword set of current often intrusion mode, and with the emergence of a new intrusion technology and expanding the size of rule base, and the keywords can deleted .Detect Module will send the keywords and rule base for comparison, if we find the matching of string of arrived words with the rules of rule, then the intrusion has happened, Response Module responses the user the intrusion, as well as to advise users the attack means and the aim of being attacked, allowing users to take timely preventive measures to avoid losses. V.
CHARACTERISTICS OF THE DIDS SYSTEM

Distributed Intrusion Detection System Model based on protocol analysis has the following advantages:

Intrusion detection technology based on protocol analysis has become one of the technologies for the intrusion detection system of next generation.This paper presents the Distributed Intrusion Detection System based on protocol analysis which is simple in structure, fast in detection speed, efficient in detection, safe in resources, etc., and is an affordable intrusion detection system. However, the diversity of network intrusion make detection system impossible, especially because the rule base can only extract the invaded, so that there is failure to recognize the intrusion undetected, resulting some missed detection. However, the Distributed Intrusion Detection research study is at the initial stage, with the development of technology, the system must be able to change with the trend of network data to make adaptive changes, which make the system have the function of self-learning and adaptive. However, this paper presents the protocol analysis have a certain stimulating function to improve the existing distributed intrusion detection system performance, and must have some practical significance for the future of the Distributed Intrusion Detection System. REFERENCES

[1] [2] [3] [4]

[5]

[6]

Chao Wang,Research and desing on intrusion detection system in the computer network security, Engineering Master Dissertation, 2007. Jack Koziol.Snort. Solution of intrusion detector .Beijing:Publishing House of Machinery Industry,2005,pp.35-53. Xiren Xie , Computer Network, Publishing House of Electronics Industry,pp.110-111, 2005. U.S. National Security Agency Releases, The Technical Framework of Information Assurance,Beijing China Electronical Software publishing house,pp.46-57,2004. Julia Allen,Alan Christie,et a1.State of the Practice of Intrusion Detection Technologies.Technical Report,Networked Systems Survivability Program,pp.47-85,2000. Congwei Zheng,Tianfa Jiang.Research on Inetanet network security technology based on intelligent firewall,Computer Engineering and Applications, pp.156-158, 2005.

[7]

Xiaoping Yang,Jing Su. Research on Intrusion Detection technology based on Protocol Analysis, Computer Application Research,pp.108110, 2004. [8] Chen A A, Common Intrusion Detection Framework.http://seclabs. Cs.ucdavis.edu/cidf,2002-01-17. [9] Xiaoqun Du , Scott A.Smolka , Rance Cleaveland , Local Model Cheeking and Protocol Analysis, Software Tools for Technology Transfer. [10] H.S.Teng , K.Chen , S.C-Y Lu. Adaptive real-time anomaly detection using inductively generated sequential paterns. In Proceedings of 1990 IEEE Symposium on Security and Privacy. Oakland:pp.278-284,May 1990. [11] EdTaylor,The Interpretation and use of TCP/IP, Publishing House of Machinery Industry,1999.