1

A Network Security Monitor

Paper By: Heberlein et. al.

Presentation By: Eric Hawkins

2

Paper Background

Authors (Heberlein, Dias, Levitt, Mukherjee, Wood, and Wolber) all from CSC at UC Davis– One of the leading research institutions for

security

Published in 1990 One of the seminal papers in intrusion

detection / network security

3

The Problem

How to keep computer networks secure against network attacks and intrustions?

Computer systems and networks were designed around trusted users

Cannot simply close off the network – need interconnection with “outside world”

Encryption, private keys, etc. cannot protect against all threats– e.g. legitimate users misusing privileges

4

The Idea

A network security monitor that compares current network activity to historical behavior in order to detect usage anomalies– Capture network traffic– Analyze traffic based on historical activity

patterns and/or pre-defined rules

5

Discussion of Attacks

Preparation Phase– More prepared attackers are more difficult to

defend against

Attack Phase– Target offers service that Attacker exploits– Target seeks to use service offered by Attacker

Post-Attack Phase

6

Concept of the N.S.M.

4-D matrix, axes are:– Source

– Destination

– Service

– Connection ID

Each cell in matrix represents a unique connection Each cell contains:

– Number of packets passed on the connection

– Cumulative sum of the data carried by those packets

7

Concept of the N.S.M. (2)

The traffic matrix can be compared against particular patterns to match types of attacks– Patterns must be generated for such attacks

– Use probability distributions to determine which measurements are likely to indicate attacks

Rules can also be employed to develop patterns– e.g. rule looking for a login connection that only

exchanges a few packets and terminates

– Difficult to apply hierarchically

8

N.S.M. Architecture

Packet catcher – captures all packets Parser – extracts protocol info (addressing,

service, etc.) Matrix Generator – creates cells or increments

counts in 4-D matrix constructed of linked-lists Matrix Analyzer – examines matrix representing

current traffic against “normal traffic” (masking) or by applying rules

Matrix Archiver – saves traffic matrix

9

Results

Identified problems which were actually just abuse of network privileges– Full backups using FTP– Programs continually executing finger

Thrown off when a network file server went down

Detected several consecutive failed log-ins

10

Difficulties

How do you train the monitor for a “normal” usage pattern? Who’s to say a security breach isn’t occurring while training?

Defining rules for non-trivial attacks will be difficult

Network traffic is not accessible when networks use non-broadcast media (think: switches vs. hubs)