efficient way of detecting an intrusion using snort rule ... · efficient way of detecting an...
TRANSCRIPT
www.semargroups.org,
www.ijsetr.com
ISSN 2319-8885
Vol.02,Issue.18,
December-2013,
Pages:2075-2083
Copyright @ 2013 SEMAR GROUPS TECHNICAL SOCIETY. All rights reserved.
Efficient Way of Detecting an Intrusion using Snort Rule Based Technique A. SAI CHAND
1, M. KAVITHA SRAVANTHI
2
1Research Scholar, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India,
E-mail: [email protected]. 2
Asst Prof, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India,
E-mail: [email protected].
Abstract: For the designing of intrusion detection systems, this project proposes a memory-efficient Snort based matching
scheme. In order to reduce the number of state transitions, the finite state machine uses Snort based technique. Long target
patterns are divided into sub patterns with a fixed length. Deterministic finite automata are built with the sub patterns. Using the
pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers
can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is
proposed for the successive matches with sub patterns. Experimental results show that total memory requirements, no of LUTs,
no of slices and no of flip-flops are reduced drastically when compare with the existing method.
Keywords: Flip-flops, Intrusion Detection System.
I. INTRODUCTION
Intrusion detection is very important aspects of
protecting the cyber infrastructure from terrorist attack or
from hackers. Intrusion prevention technique such as
firewall, filtering router policies fails to stop much type of
attacks. Therefore, no matter how secure we try to make
our system, intrusion still happens and so they must be
detected. Intrusion detection systems are becoming an
important part of our computer system, and security. An
intrusion detection system is used to detect several types
of malicious behaviors that can compromise the security
and trust of a computer system. This includes network
attacks against vulnerable services, data driven attacks on
applications, host based attacks such as privilege
escalation, unauthorized logins and access to sensitive files
and malware (Viruses, Trojan horses and Worms). An
Intrusion detection system can be composed of several
components: Sensors which generate security events, a
Console to monitor events and alerts and control the
sensors and a central Engine that records events logged by
the sensors in a database and uses a system of rules to
generate alerts from security events received. There are
several ways to categorize an Intrusion detection system
depending on the type and location of the 2sensors and the
methodology used by the engine to generate alerts. In
many simple IDS implementations all three components
are combined in a single device or appliance. Intrusion
detection can allow for the prevention of certainty, attacks
severity relative to different type of attacks and
vulnerability of components. Under attack the response
may be to kill the connection, install filtering rules and
disable user account.
A. History of virus
Most of the computer viruses written in the early and
mid-1980s were limited to self-reproduction and had no
specific damage routine built into the code. That changed
when more and more programmers became acquainted
with virus programming and created viruses that
manipulated or even destroyed data on infected computers.
There are competing claims for the innovator of the first
antivirus product. Possibly the first publicly documented
removal of a computer virus in the wild was performed by
Bend Fix in 1987. There were also two antivirus
applications for the Atari ST platform developed in 1987.
The first one was data and second was UVK 2000 Fired
Cohen, who published one of the first academic papers on
computer viruses in 1984, began to develop strategies for
antivirus software in 1988 that were picked up and
continued by later antivirus software developers. In 1987,
he published a demonstration that there is no algorithm
that can perfectly detect all possible viruses.
B. Identification methods
1. Introduction
One of the few solid theoretical results in the study of
computer viruses is Frederick B.Cohne’s 1987
demonstration that there is no algorithm that can perfectly
detect all possible viruses. There are several methods
which antivirus software can use to identify malware:
A. SAI CHAND, M. KAVITHA SRAVANTHI
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
Signature based detection is the most common
method. To identify viruses and other malware,
antivirus software compares the contents of a file to
a dictionary of virus signatures. Because viruses can
embed themselves in existing files, the entire file is
searched, not just as a whole, but also in pieces.
Fig 1: Malware bytes Anti-Malware version1.46ig
2. Signature-based detection Traditionally, antivirus software heavily relied upon
signatures to identify malware. This can be very effective,
but cannot defend against malware unless samples have
already been obtained and signatures created. Because of
this, signature-based approaches are not effective against
new, unknown viruses. As new viruses are being created
each day, the signature-based detection approach requires
frequent updates of the virus signature dictionary. To
assist the antivirus software companies, the software may
allow the user to upload new viruses or variants to the
company, allowing the virus to be analyzed and the
signature added to the dictionary.
3. Intrusion detection systems
Intrusion detection systems (IDSs) are software or
hardware systems that automate the process of monitoring
the events occurring in a computer system or network,
analyzing them dynamically or statically for signs of
compromise to security. As network security breaches
have increased in number and severity in recent times,
intrusion detection systems have become a necessary
addition to the security infrastructure of most
organizations. Intrusions can be defined as “attempts to
compromise the confidentiality, integrity, availability, or
to bypass the security mechanisms of a computer or
network.
II. IDS USING PARALLEL STRING MATCHING
STRING
A. Introduction
Intrusion detection systems (IDSs) are designed to
detect various hazardous contents and alert their existence
in the networks. Most IDSs adopt a rule set that contains
the information about target patterns from hazardous
packet payloads and actions against the target patterns.
Most adopted patterns to be identified are described with
strings. Therefore, the string matching engine is still an
essential component. The string matcher is a processing
unit that detects mapped patterns from packet payloads. A
string matching engine can have multiple string matchers
for parallel string matching. Due to the slow speed of the
software-based string engine, the hardware-based string
matching engine is preferred due to great parallelism for
the high-performance IDSs. The memory-based string
matching engine allows on-the-fly update of memory
contents for high re-configurability. However, there are
several well-known challenges: high throughput,
regularity, scalability, and low memory requirements
especially, in the memory-based on deterministic-finite
automation (DFA) is frequently adopted due to the
deterministic transitions between states according to input
symbols, state transitions can be performed in a fixed
number of cycles, where the throughput can be maintained
unchanged. In addition, due to the fixed number of output
transitions in a state, regularity can be guaranteed in the
DFA-based string matching engine. Scalability can be
supported by the homogeneity of multiple string matchers
where DFAs are mapped. Because of the deterministic
transitions between states, however, memory requirements
are proportional to both the number of states and the
number of transitions in a state. The total cost of a string
matching engine is directly related to memory
requirements therefore, the target pattern information
should be compressed.
The pattern matching algorithm that reduced total
memory requirements by sharing common infixes of target
patterns. For the pattern identification, a state should
contain its own match vector with a set of bits, where each
bit represents a matched pattern in the state. Even though
the information of shared common infixes was stored in
match vectors, the number of shared common infixes was
limited by the size of the match vectors. In addition
throughput could decrease due to the modified state
transition mechanism. The memory requirements for
match vectors were reduced by relabeling states and
eliminating the match vectors of non output states. By
sharing common infixes of target patterns or relabeling
states and eliminating the match vectors of non output
states, the memory usage in the match vectors could be
efficient.
B. Proposed string matching scheme
1. Architecture of FSM Tiles
Multiple string matchers are adopted for parallel
string matching. In a string matcher, several homogeneous
FSM tiles take n bits as an input at every cycle. In the state
of each FSM tile, the pattern identification information is
stored as a partial match vector (PMV), where the ith bit
indicates whether the ith pattern is matched or not in the
state. A pattern can be identified with a full match vector
(FMV), which is obtained with the logical AND
Efficient Way of Detecting an Intrusion using Snort Rule Based Technique
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
operation of PMVs in all FSM tiles. The number in
the angle brackets describes the field width. In the
FSM tile in Fig. 2a, every state can indicate its PMV. A
difference of the FSM tile in Fig. 2a from those in and
is that the FSM memory for storing next-state
pointers can be separated from the PMV table. As
shown in Fig. 2b, if there is no need to have PMVs in
several states, the memory allocation for the states is
not required; only several PMVs are stored in a PMV
table. The stored PMVs are defined as nonzero
PMVs; the PMVs to be reduced are defined as zero
PMVs. When many PMVs can be shared between
multiple states, the FSM tile type in Fig. 2c is beneficial
by adopting separate small PMV table.
Fig.2: FSM tile architectures
T h e pattern match index (PMI) in each state
indicates a unique PMV for the state. By adopting a
separate PMV table, the memory requirements for storing
repeated PMVs can be eliminated. For example, it is
assumed that four target patterns {“ab,” “abb,”
“abab,” “a”} are mapped on an FSM tile with one input bit
of the the least significant bit (LSB). The fourth pattern
“a” is the prefix of the other patterns. In addition, the
pattern “a” can be an infix of the third pattern “abab.” In
this case, two output states for the pattern “a” can share the
same PMV. In another example, target patterns with same
lengths can share the same PMV. For example, let us
assume that an FSM tile takes two LSBs for input
symbols. The matches with patterns “ab” and “cd” indicate
an identical PMV in the FSM tile. FSM tile where al l
states have their own PMVs. FSM tile that stores only
nonzero PMVs.FSM tile that adopts PMI and separate
PMV table.
2. Divided Pattern Matching
In order to explain the divided pattern matching
with an example, “00,” “j05 00j,” “BN j10 00 02 00j,”
“BN j20 0002 00j,” and “get clients” are assumed to
be a set of target patterns, where the sequence of
two digits between pipe symbols is the sequence of
hexadecimal numbers. The length of the sub patterns
for the quotient vector is fixed as 3. All divided
patterns are ordered as shown in Fig.3, where binary
code values are provided in the right column.
Fig. 3: Example of sub patterns for the divided pattern
matching
3. Sequential Matching with Divided Patterns
The match with a divided target pattern consists
of successive matches with i t s quotient vector and
remnant pattern. If a target pattern is divided by a fixed
length f, the sequential matches with the sub patterns in
the quotient vector should be detected at f different points.
Because the starting points of the sequential matches can
be different, the points when the target pattern is
A. SAI CHAND, M. KAVITHA SRAVANTHI
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
matched can vary. Fortunately, the sequential matches for
the quotient vector can be performed based on the FSM
architecture in Fig. 2c with additional registers. State
pointers and PMVs are held for f cycles and updated
periodically every f cycles. Due to various lengths of
the remnant patterns, the output states in an FSM for
the remnant patterns can be reached at any cycle.
Therefore, the number of string matchers with identical
contents is multiplied by the fixed length f.
4. String Matching Engine Architecture
Based on the sequential matching mentioned
above, architecture of the proposed string matching
engine is illustrated in F i g 4. In this fig f is the fixed
length of sub patterns in the quotient vector. According to
f, the number of the remnant pattern matchers can be
varied.
Fig. 4: An example of the proposed string matching
engine architecture
A character code of one byte from a payload is
inputted in the quotient vector matcher. The quotient
vector matcher consists of v string matchers, where the
width of an FMV is equal to the number of bits in a PMV
of an FSM tile, p. In the quotient vector matcher, only
one bit in total temporary match vectors becomes true
because only one sub pattern can be matched in the
quotient vector matcher per cycle. Therefore, the
temporary match vectors are encoded using v p: dog2 v
per binary encoder, where the encoder output can be the
quotient index.
III. INTRUSION DETECTION USING THE SNORT
RULE SET
A. Introduction
Snort is a cross-platform, network intrusion detection
tool that can be deployed to monitor TCP/IP networks and
detect a wide variety of suspicious network traffic as well
as outright attacks. The program is free software; access
rights to it falls under the terms of the GNU General
Public License.
B. The Snort detection engine Snort maintains its detection rules in a two dimensional
linked list of what are termed Chain Headers and Chain
Options. Chain Headers are lists of rules that have been
Fig. 5: Block diagram of SNORT rule detection
condensed down to a list of common attributes and the
detection modifier options are contained in the Chain
Options. Figure 5 shows the logical structure of the Snort
Rule set.
C. Implementation of Snort Rule set on the DRIDS The DRIDS implements a subset of the Snort Rule set
on each IDE. Each IDE consists of a Master FSM and 14
auxiliary FSMs called the RoptFSMs (Rule Option FSM).
Each RoptFSM deals with a particular rule option. With
the arrival of a new packet, the Master FSM reads in the
first rule from the SRAM and passes control to RoptFSM
that deals with the first rule option that occurs. When the
RoptFSM completes its rule option, it returns control to
the Master FSM which then proceeds to check the next
rule option. The first heuristic it uses is commonly referred
to as a bad character heuristic. If a character is seen that
does not exist in the keyword to search for, the keyword
can be shifted forward N characters where N is the length
of the given keyword. The second heuristic uses
knowledge of repeated substrings in the keyword. Thus if
a mismatch occurs and repeated patterns exist in a given
keyword, it is able to shift the keyword to the next
occurrence of a substring that matches what has already
been successfully matched. Figure 6 depicts the
implementation of an Exact Pattern Match using the
Boyer-Moore Algorithm. The figure 7 shows IDE master
Efficient Way of Detecting an Intrusion using Snort Rule Based Technique
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
FSM Master FSM has 5 possible states.
1. Reset/Initial State
As shown in Figure 6 is the Master FSM has 5 possible
states. Upon Reset the FSM enters into state S0. In this
state it maintains the IDE_RDY signal at ‘1’ saying that
the IDE is not currently processing a packet. It also
initializes the Read Pointer to the location of the first Rule
in the SRAM. In this state, the FSM is sampling the Sram
State signal from the controller for this pipe stage, and
remains in this stage as long as the Sram State is “Invalid”.
The FSM transitions to state S1 when Sram State changes
to “Exclusive”. This state checks against the rule option
read in from the SRAM and passes control to the
RoptFSM that handles it. This state also deduces the
number of bytes by which to increment the Read Pointer
from the current option being handled by the RoptFSM.
But this value cannot be deduced upon a content match
option and this triggers a transition to state S2. For all
other options, the FSM transitions to state S3. State S2 is
an intermediate state where the Master FSM determines
the size of the content match pattern from the following
byte in the SRAM. This is possible because of the format
Fig. 6: IDE Master FSM.
of the rules on the SRAM as shown in Figure. After
incrementing the Read Pointer to point to the next valid
rule in SRAM, the FSM transitions to State S3. S3 is a
stalled state where the FSM waits for return of control
from the RoptFSM. The RoptFSM could return with either
a “Pass” or a “Fail” message. If a Rule option fails, the
Master FSM updates the Scoreboard saying that the
particular rule has failed and moves on to the next Rule in
the SRAM. However, in order to find the next rule in the
SRAM, the FSM needs to find the rule delimiter for the
current rule and hence enters sate S4 where it increments
the ReadPointer until the rule delimiter is found at which
point it return to state S1.On a passing rule option in state
S3, i.e. the RoptFSM returns control with a “PASS”
signal, the Master FSM transitions to state S1 where it
proceeds to read the next rule option from the SRAM.
Upon finding a rule delimiter, state S1 updates the
Scoreboard. Figure 8 from illustrates the design approach
adopted for the DRIDS IDE.
D. Serial Front Panel Protocol
Serial FPDP, originally developed by Systran
Corporation in its Simplex Link and Fiber Extreme
products, is defined in the specification. It is a serial
encapsulation of the Front Panel Data Port (FPDP)
protocol Serial Front Panel Data Port (SFPDP) is a high-
speed, low-latency, data- streaming, serial
communications protocol used for high-speed real-time
data transfer applications. Serial FPDP, originally
developed by Systran Corporation in its Simplex Link
and Fiber Extreme products, is defined in the
specification. It is a serial encapsulation of the Front Panel
Data Port (FPDP) protocol Serial Front Panel Data Port
(SFPDP) is a high-speed, low-latency, data- streaming,
serial communications protocol used for high-speed real-
time data transfer applications.
Fig. 7: Top down control in FSM design
Fig.8: Block diagram of typical Application of SFPDP
Protocol
The typical application of SFPDP Protocol in the
Radar Systems is as shown in figure 8.Processed data
from signal processor is acquired by the interface module
and then transferred using this protocol as implemented in
the FPGA. This module provides interface to Digital
Signal Processors (DSP) for acquiring the processed data.
A. SAI CHAND, M. KAVITHA SRAVANTHI
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
Interface module receives processed data from DSP
processors on parallel link and serializes the data of each
channel and sends it over the XAUI following the SFPDP
protocol. This can be used to send the data through
SFPDP protocol to a distance extending up to10KM for
presentation on display terminal for radar systems. Field
data can be recorded & replayed as and when required to
further analyze the data in the control room to test the
performance of the radar. The SFPDP data is sent through
XAUI (extended Attachment Unit Interface), the serial
interface. The data in the XAUI is looped back using
fiber optic cable. Serial FPDP extends the maximum
distance of FPDP connections by serializing the FPDP
data stream and transmitting it over extended distance
using fiber optic cable. Serial FPDP is basically a point-
to-point, simplex protocol designed to transfer data from
a sender to a receiver. The connection between a sender
and a receiver is established and remains in effect for
relatively lengthy periods of time. Serial FPDP extends
the maximum distance of FPDP connections by
serializing the FPDP data stream and transmitting it over
extended distance using fiber optic cable. Serial FPDP is
basically a point-to-point, simplex protocol designed to
transfer data from a sender to a receiver. The connection
between a sender and a receiver is established and
remains in effect for relatively lengthy periods of time
Sequence of format is as given in following section.
Each Frame is recognized by a specified 32 bit
pattern as given below in hex:
III. SOF : BCB51717
IV. FEOF : BC8A9595
V. SEOF : BC957575
VI. Go/Stop : BC85B5B5
VII. MEOF : BC8AD5D5
Figure 9: Normal Data Fiber Frame
Figure 10: Sync without Data Fiber Frame
Fig. 11: data flow with the system
The main objective of this work is to transmit the data
through SFPDP protocol. The transmitted data is stored
in buffer & then received at the receiver. The output
at the receiver is of the form as shown in figure 9 which
meets the requirement of the designed model. The above
results are excellent & justify the designed SFPDP
protocol for high speed data transfer. The received data is
as same as the transmitted data with the same values.
Fig.12: serial communication system
IV. APPLICATIONS AND ADVANTAGES
The real benefit of anti-virus protection is directly
related to the consequences of not having anti-virus
software. The internet is not a secure place by any means,
and even the most tech-savvy users have a relatively high
likelihood of downloading some form of malware or
becoming the victim of an identity-stealing scam just by
going online occasionally. Learning just a little bit about
the consequences of not having anti-virus protection
should be enough to convince everyone they need it. Here
are a few important reasons to get top-quality anti-virus
protection for your computer:
Protection from Viruses
Protection from Spyware and Identity Theft
Protection from Spam
V. RESULTS
A. Device utilization summary
TABLE I: DEVICE UTILIZATION SUMMARY FOR
THE DEVICE XC3S500E-4FG320
B. Synthesis Report
Total latency 13.083ns (7.355ns logic, 5.728ns route)
Total memory usage is 193244 kilobytes
C. Waveforms
The figure 13 shows the input data and input data is in
the form of binary values. The figure 14 shows the output
of serial communication.
Efficient Way of Detecting an Intrusion using Snort Rule Based Technique
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
Fig 12: input data
Fig 13: Serial communication
FIG. 14: Snort output
A. SAI CHAND, M. KAVITHA SRAVANTHI
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
Fig 15: Address of virus file
The figure 15 shows the address of virus file and it
shows the addresses of virus files that are present in given
input data. As shown in the figure 16 the purpose of RTS
module builder is to build, or acquire from a library of
predefined components, each of the required RTL blocks
in the user-specified target technology.
D. RTL Schematic
Fig. 16: RTL Schematic
VI. CONCLUSION AND FUTURE SCOPE
Intrusions are the activities that violate the security
policy of system. Intrusion Detection is the process used to
identify intrusions. An intrusion detection system (IDS)
inspects all network activity and identifies suspicious
patterns that may indicate a network or system attack from
someone attempting to break into or compromise a system.
In this work the design for detecting an intrusion is
presented. The incoming packets are comparing with the
virus database and then based on the database; the
identification of intrusion is done. In the present work an
IDS evaluates a suspected intrusion once it has taken place
and also watches for attacks that originate from within a
system and proves the Utilization is very less when
compare with the previous one. There are several ways to
categorize IDS. Among those misuse detection is chosen
for the presented work. The IDS analyzes the information
it gathers and compares it to large databases of attack
signatures. Essentially, the IDS look for a specific attack
that has already been documented. The misuse detection
software is as good as the database of attack signatures
that it uses to compare packets against. In future Intrusion
detection and prevention systems (IDPS) are primarily
focused on identifying possible incidents, logging
information about them, and reporting attempts. In
addition, organizations use IDPSs for other purposes, such
as identifying problems with security policies,
documenting existing threats and deterring individuals
from violating security policies. IDPSs have become a
necessary addition to the security infrastructure of nearly
every organization.
Efficient Way of Detecting an Intrusion using Snort Rule Based Technique
International Journal of Scientific Engineering and Technology Research
Volume.02, IssueNo.18, December-2013, Pages:2075-2083
VII. REFERENCE
[1] C. Lin, Y.-D. Lin, T.-H. Lee, and Y.-C. Lai, “Using
String Matching for Deep Packet Inspection,” IEEE
Computer, vol. 41, no. 4, pp. 23-28, Apr. 2008.
[2] Snort, Ver.2.8, Network Intrusion Detection System,
http://www.snort.org., 2011.
[3] Clam AntiVirus, Ver.0.95.3. http://www.clamav.net.,
2011.
[4] C.-H. Lin, Y.-T. Tai, and S.-C. Chang, “Optimization
of Pattern Matching Algorithm for Memory Based
Architecture,” Proc. Third ACM/IEEE Symp. Architecture
for Networking and Comm. Systems, pp. 11-16, 2007.
[5]S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J.
Turner, “Algorithms to Accelerate Multiple Regular
Expressions Matching for Deep Packet Inspection,” Proc.
Conf. Applications, Technologies, Architectures, and
Protocols for Computer Comm., pp. 339-350, 2006.
[6] F. Yu, Z. Chen, Y. Diao, T.V. Lakshman, and R.H.
Katz, “Fast and Memory-Efficient Regular Expression
Matching for Deep Packet Inspection,” Proc. Second
ACM/IEEE Symp. Architecture for Networking and
Comm. Systems, pp. 93-102, 2006.
[7] A.V. Aho and M.J. Corasick, “Efficient String
Matching: An Aid to Bibliographic Search,” Comm.
ACM, vol. 18, no 6, pp. 333-340, 1975.
[8] L. Tan and T. Sherwood, “A High Throughput String
Matching Architecture for Intrusion Detection and
Prevention,” Proc. 32nd
IEEE/ACM Int’l Symp. Computer
Architecture, pp. 112-122, 2005.
[9] L. Tan, B. Brotherton, and T. Sherwood, “Bit-Split
String-Matching Engines for Intrusion Detection and
Prevention,” ACM Trans. Architecture and Code
Optimization, vol. 3, no. 1, pp. 3-34, Mar. 2006.