Академический Документы
Профессиональный Документы
Культура Документы
2.1 Snort
Snort, developed by SourceFire, is an open-source software package designed for packet capturing and real
738
time network traffic analysis [2]. In our research, Snort is being used to identify traffic across a honeypot sensor network as being either malicious or benign, and, if malicious, to provide a signature of the traffic. Snort bases its analysis of the network traffic on a series of rules designed by a community of users. The results of Snort's analysis and the packet information are then stored in a MySQL database for later analysis. The information stored in the Snort database includes, but is not limited to, the malicious identification signature provided by Snort, as well as the IP, and TCP, UDP, or ICMP header information of the sensor network traffic [3].
2.3.2 Command blocks. Corvid command blocks control the procedural flow of the expert system, including how the system chains, executes the Logic blocks, loops, and displays results [9]. 2.3.3 Collection variables. Collection variables are variables that have lists of strings as their values [10]. They are generated during the execution of the Logic blocks, and can be passed as parameters to custom made Java functions. 2.3.4 CUSTOM.java. Corvid natively supports a number of standard Java functions, but also recognizes a special function, called CUSTOM [11]. CUSTOM.java can be passed any number of parameters, and can be used to add any special functionality that is needed which can be programmed in Java.
2.2 See5
See5, developed by Ross Quinlan as the successor to the ID3 and C4.5 systems, is a data mining tool which provides data classification capabilities [4]. In our research, we are using See5 in order to discover patterns and regularities in the Snort traffic database, present them in an intelligible form, and use those patterns and regularities to create a ruleset from which we can make predictions about and classify new malicious traffic. See5 takes its input in the form of a .data flat file, which contains information about the stored packets from Snort, and can output its classification as either a decision tree or a ruleset. The ruleset output is a series of If-then rules, based on statistical significance [5].
2.4 Iptables
Iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x Ipv4 packet filtering ruleset [13]. The firewall that it is linked to is commonly known as the gateway to keep unauthorized access out and authorized access in. NAT or Network Address Translation is responsible for forming data packet headers out of network address information. Together these are used in order to maintain a safe environment on a network for users to access. Information from the NAT can be collected and then an intelligent decision on modifying the iptables can be made in regards to the firewall.
2.3 Corvid
Corvid, developed by Exsys, is a knowledge automation expert system development tool [6]. It is based on Java and allows for the creation of custom Java classes, providing a great deal of flexibility in modifying the operation of the created expert system. Expert systems created in Corvid are deployed as a Java applet, which allows the expert system to run on any Java-enabled system. Due to its features and flexibility, Corvid is ideal for implementing the intrusion detection rules determined by See5. Some key features include Corvid's Logic blocks, Command blocks, Collection Variables, and the userdefined Custom.java class. 2.3.1 Logic blocks. In a Corvid expert system, knowledge is encoded as a series of Logic Blocks, which organize and structure decision-making information into logically related blocks [7]. Decision-making information in the logic block is defined as a series of If-Then style rules. They can be run through either forward or backwardchaining, and can be associated with spreadsheet files which will allow the logic in each block to be applied sequentially to each record in the spreadsheet [8].
created into a .data file for storage purposes, but it is still not sufficient for Corvid to use. The .data file must be converted into a spreadsheet file then saved as a tab delimited text file, Microsoft Excel was sufficient for doing this. This process of converting the packet information was to import the file into Corvid from the Logic Block.
Seeing how we have a custom.java file we can use it to take input of system commands; that is issue the app a command and have it relay it to the system in order to execute it. This command will be responsible for manipulating iptables; after the command will be a series of arguments specific to the command that are a necessity in order for it to run properly. The java file will carry out the command through a system of classes and methods. There are two main classes that the system will utilize in order to achieve such a goal; the first being the runtime class and the second being the process class. Apart from these main classes there will be a variety of sub methods responsible for monitoring the system as well as ensuring basic functionality. They are not a necessity for the process to run but highly recommended in order to maintain proper functionality of the applet as a whole.
The advantages of a specific directory means that all sub files required to run an applet optimally will be available to do so.
This method will get the error stream of the sub process. The stream obtains data piped from the error output stream of the process represented by this Process object [Z3]. Having this method is vital in case of entry fault. It will allow the user to see where they have gone wrong and correct the error. One can choose to opt out of the method but it is highly recommended to implement this function as to ensure a proper execution of a command.
6. Results
When we ran our expert system, using the sample data set spreadsheet as input, and using the ruleset generated by See5, we observed that the expert system did properly identify known malicious traffic as malicious, and known normal traffic as normal with complete success.
741
[7] Exsys Corvid Knowledge Automation Expert System Software Developer's Guide, Exsys, Inc., Albuquerque, NM, 2007, p. 13. [8] Exsys Corvid Knowledge Automation Expert System Software Developer's Guide, Exsys, Inc., Albuquerque, NM, 2007, p. 15. [9] Exsys Corvid Knowledge Automation Expert System Software Developer's Guide, Exsys, Inc., Albuquerque, NM, 2007, p. 18. [10] Exsys Corvid Knowledge Automation Expert System Software Developer's Guide, Exsys, Inc., Albuquerque, NM, 2007, p. 25. [11] Exsys Corvid Knowledge Automation Expert System Software Developer's Guide, Exsys, Inc., Albuquerque, NM, 2007, pp. 275-282. [13] The netfilter.org iptables project,
7. Acknowledgments
This paper is based on work supported by the National Science Foundation (NSF) through grant CNS-05040538 and NGA. Any opinions, findings, and conclusions or recommendations expressed in the paper are those of the authors and do not necessarily reflect the views of the NSF or NGA.
8. References
[1] Stephen F. Owens, Reuven R. Levary, An adaptive expert system approach for intrusion detection, Int. J. Security and Networks, Vol 1, Nos. 3 / 4, pp. 206 -217. [2] Rehman, R.U., Intrusion Detection with Snort: Advanced IDS Techniques using SNORT, Apache, MySQL, PHP, and ACID, Prentice Hall PTR, 2003. [3] B. Caswell, J. Beale, J. C. Foster, & . Faircloth, Snort 2.0 Intrusion Detection, Syngree, 2003. [4] Data Mining Tools See5 http://www.rulequest.com/see5-info.html October 22, 2009. and Last C5.0: visited
[5] See5: An informal tutorial, http://rulequest.com/see5win.html#RULES, last visited October 22, 2009. [6] Products: http://www.exsys.com/productmain.html (last visited October 21, 2009). Welcome to Exsys Software
742