Topics
Interior

New Methods of Intrusion Detection
using Control-Loop Measurement

Fourth Technology for Information Security Conference'96 (TISC'96)
Houston, TX
May 16, 1996

Dr. Myron L. Cramer
James Cannady
Jay Harrell


This paper describes a new concept in network intrusion detection based up statistical recognition of an intruder's control-loop. These criteria offer advantages in infinite networks and where a priori attack scenarios are not known. This paper describes the need for better intrusion detection methods, the applicability of digital signal processing to real-time network surveillance, the concept of control-loop behavior, and the design of an innovative intrusion detection system employing these. We also discuss the benefits of this new system in comparison with alternative technologies.

Purpose

The purpose of this paper is to describe some new ideas in intrusion detection. These ideas are based upon a review of the physics of the problem and an analysis of applicable technological approaches. The proposed new methods reflect concepts still in development and evaluation by the authors. This paper includes discussion of the need for better Intrusion Detection Systems (IDS), Intrusion Detection System Operational Concepts, Applicability of Digital Signal Processing (DSP) to Intrusion Detection System design, Control-Loop Concepts, Use of the above in an Intrusion Detection System, and the benefits of this approach.

Role of Intrusion Detection

As illustrated in Figure 1, intrusion detection systems (IDSs) can be viewed as the second layer of protection against unauthorized access to networked information systems. It is believed that no reasonable access control system can preclude intrusions. Despite the best access control systems, intruders are still able to enter computer networks with greater frequency than anyone would like. IDSs augment the security provided by the access control systems by providing system administrators with warning of the intrusion and information to assist in damage control or mitigation. Although IDSs can be designed to verify the proper operation of access control systems by looking for the attacks that get past the access control systems, this second layer is a most useful when it can detect intrusions that use methods that are different from those looked for by the access control systems. To do this they must use more general and more powerful methods than simple data base look-ups of known attack scenarios. An effective intrusion detection is necessary to cue response options.


Figure 1. Intrusion Detection Systems are the Second Layer of Defense

Characteristics of Intrusion Detection Systems

In order to satisfy its functions, the ideal intrusion detection system should have the following characteristics:

Ideal IDS Characteristics

Timeliness: It should detect intrusions either while they are happening or shortly afterwards.
High probability of detection: It should recognize all or most intrusions.
Low false-alarm rate: It should have a low number of false intrusion alarms.
Specificity: In identifying attacks, it should give sufficient characterization data to support an effective response.
Scalability: It should be applicable to large (infinite) networks.
Low a priori information: It should requires a minimum of a priori information about potential attackers and their methods.

Although these characteristics appear compelling, they have not been available, nor are they likely to result from traditional approaches. The performance of IDSs can be described in various ways. In evaluating the performance of IDSs as they become available, quantitative performance metrics will be useful. In the simplest level, there are three fundamental classes of metrics which could be used, quantity, quality, and time, as illustrated in Figure 2.


Figure 2. Performance Metrics for IDSs include Quantity, Quality, and Time

Quantitative metrics include the number of nodes protected, the number of user profiles tracked, the number of simultaneous attacks that can be tracked, and the number system administrators supported. The number of simultaneous attacks is significant in light of attack strategies which include the use of large feint attacks intended to distract responses from the real attacks.

Scope of Intrusion Detection Systems

The Scope of an IDS includes the types and quantities of systems to be supported, the types of threats or attackers considered, the types of intrusion activities addressed by the system. Some systems may be designed primarily for insider threats: they monitor user activities and ensuring that they remain within norms. Other systems may focus on backing up the access control systems and ensure that specified attack scenarios are not able to enter the networks.

System to be Protected: The protected system can be an individual machine or a network of machines. Problems arises in trying to protect a network by installing individual protection on each machine in the network. These problems include configuring, managing, monitoring, and coordinating distributed intrusion detection activity. In many instances, protecting the network can be more important than protecting some of the individual processors!

Attackers: There are wide differences in the types of possible threats. The degrees of threats can range from the recreational hacker to the full-scale "Type II Information Warfare Attack" directed and focused, and in some instances funded by national government or well-resourced organizations. Objectives of attacks may include attempts to compromise confidentiality, authentication, integrity, or the availability of services.

Classification of IDSs

The "standard" classifications of IDSs includes the following categories: statistical anomaly detection, rule-based anomaly detection, and rule-based penetration identification. The new methods discussed in this paper do not fit in any of these categories! For this reason we need to take a fresh perspective on system designs and we introduce a different way to think of system design approaches.

In this new view, IDSs can be characterized by: where they live, what you have to tell them, what they look for, which technologies they use, and what they tell you. We discuss these in the following paragraphs.

Where they live... There are several choices of hosts for an IDS as depicted in Figure 3 below. These include the standard network elements including routers, hubs, servers, and client systems.


Figure 3. Possible hosts for an IDS Include Many Network Locations

The first possible host for an IDS is on the computer(s) being protected. This poses scaling problems for large networks, as well as installation, configuration, and management issues for distributed IDS operation. It also suffers from the worst visibility of related network activity. On the positive side, however, it does have the best visibility of the IDS host computer.

Another and potentially better IDS host is a separate processor strategically attached to the network. This approach has advantages for large networks, including installation, configuration, management. It also has the best visibility of the overall network.

What you have to tell them... The fundamental problem is the detection criteria for an "intrusion". This can include scenarios of attack or penetration based upon historical information, normal user profiles, and expected system usage patterns.

What they look for... In looking for intrusions, an IDS examines records such as computer log files which give historical usage data, or ongoing process activity information from the operating system for real-time intrusion detection. These systems then look for matches with either known scenarios of attack or penetration; or the look for anomalies with anticipated user or system profiles. A good criteria needs to be predictive! This includes the recognition of novel attacks and methods.

Recognizing Intrusions

The fundamental problem in IDS design is really how to recognize the behavior associated with intrusions. A determined attacker effects his intrusion through a sequence of activities to achieve a desired result. Generally, each of these actions, viewed by itself is a normal legitimate activity. It is only when the sequence of an attack is assembled that the intruder's hostile objectives become clear.

Intrusions can come in many ways. Consider the type of intruder in Figure 4 who is conducting a systematic focused attack on a network over the Internet. Although this is not the only type of intruder, this is potentially one of the most dangerous. He has a source from which he is attempting to accomplish his malicious objectives using some initial knowledge of the target system. From his entry point, he will select specific elements in the targeted network; he will have some specific actions he intends to effect; and he will utilize some specific methods some of which we may have never seen before.

Sources Targets
Objectives Actions
Knowledge Methods

Figure 4. The Class of Focused External Attackers is of Special Interest

Which technologies they use...Technologies for IDS typically include Data Base Methods and Expert systems such as Rule-based, Case-based, or Neural networks. Another class of technologies includes Digital Signal Processing (DSP). DSP methods include both digital filters, and spectrum analysis.

A good method needs to be adaptable!

Digital Signal Processing (DSP)

Digital signal processing is a technology-driven field. It typically includes methods of processing discrete-time signals or time series data sequences. These include digital filters and spectrum analysis.

In assessing new potentially applicable technologies for intrusion detection, it is our premise that DSP is one with potentially high payoffs. DSP is widely used in many applications in electrical and computer engineering, including modern control systems, sensors and communications. Using modern statistical methods, time-series data are collected, filtered, correlated, and analyzed for many purposes including event detection. The recognition and characterization of computer network protocols has been among the applications successfully handled by DSP.

Time Series Data

Network traffic includes time series data in the form of structured sequences of ones and zeros. As shown below in Figure 5, the time series data contains patterns that implement the structures of the various nested protocols carrying the network traffic. Applying DSP methods to this traffic includes integrating time-series data streams with digital models designed to correlate or weight activities of interest and to filter out uninteresting activities, which may be combinations of external addresses and certain combinations of processes.

01111110 11000000 XXXXXXXX (INFO) XXXXXXXXXXXXXXX 01111110 SLP
01111110 10000000 XXXXXXXX (INFO) XXXXXXXXXXXXXXX 01111110 SLP
01111110 11110000 XXXXXXXX (INFO) XXXXXXXXXXXXXXX 01111110 MLP
01111110 11100000 XXXXXXXX (INFO) XXXXXXXXXXXXXXX 01111110 MLP

Figure 5. Network Traffic Can Be Viewed as a Time Series

Protocol Analysis

Statistical signal processing is one method of DSP that can be used to decompose protocol structures. In Figure 6 below we see that the HDLC and DDCMP protocols have recognizable features when viewed in the bispectrum generated through Cyclostationary Signal Processing. Cyclostationary Signal Processing is a powerful statistical method that identifies characteristics in time series autocorrelations. The independence of these features is illustrated below showing the combined presence of HDLC and DDCMP.

Figure 6. Protocols Can Be Statistically Recognized
Credit: Booz, Allen & Hamilton Inc.

Control Loop Measurement

The methods of DSP provide a powerful new tool in the recognition of patterns in network activity. This tool can implement general intrusion criteria. The authors believe that these include the concept of Control Loop Measurement.

Hypothesis: There is a new intrusion detection criteria utilizing the signature of an intruder's control-loop. A control-loop is characterized by both observability (surveillance) in conjunction with controllability (process accesses and system calls). We illustrate how to quantify this control and how to apply the resulting measure to discriminate intruders from normal activities.

Control-Loop Detection

The field of Control Theory in electrical engineering includes the concepts of Observability and Controllability. Within this theory, a control system compares observations of a system's state with desired states to generate corrections intended to steer the system being controlled toward the desired state. As shown in Figure 7 below, it is our premise that the activities of a focused external intruder can be viewed as a control loop.

Figure 7. A Focused External Attacker Utilizes a Control Loop

As shown in this figure, an attacker's network activities are characterized by observability (surveillance) in conjunction with controllability (process access and system calls). We believe that "high control behavior" provides a useful metric for discriminating interesting activities that may be useful in recognizing intruders. We also believe that high control behavior can be statistically detected in the bi-directional data flows using the tools of DSP.

Functional Concept

The functional concept of a system using the new methods discussed above is illustrated in Figure 8 below. The system concept includes a sequence of processes acting on network traffic serving to generate real-time activity spectra./p>

Figure 8. A System Functional Concept Implements Control Loop Measurement

Operational Concept

The Control Loop Measurement functional concept can be implemented in several obvious ways. The notional figure below illustrates an implementation in a DSP board plugged into a slot in a main router. This implementation may be attractive for some installations due to the visibility it gives the IDS over all external traffic.

Figure 9. A Router-Based Implementation of Control Loop Measurement

What they tell you ... Likely outputs from a Control Loop Measurement IDS include Spectral analysis and presentations of high degrees of observability and controllability, the instantaneous distribution of external connections, internal distribution of significant correlated connections, and scale indicators of suspicious activity.

Benefits

In this paper we have discussed a concept and rationale for a class of new methods of intrusion detection. Potential benefits of these new methods include higher detection probability, lower false alarm rate, more timely warning (real-time), lower processing burden, lower management burden, reduced demand for a priori data, more secure, less cumbersome, wider applicability, and better coverage zones.

Summary

Our paper presented a summary of the needs for advanced intrusion detection systems. This reflects the growing recognition of the inherent penetrability of any networked computer system. The objective of any intrusion detection system is to generate alarms and warning data whenever likely break-ins are suspected. The ideal intrusion detection system is timely, has a high probability of detection, low false-alarm rate, provides useful attack characterization data, and is scaleable to large (infinite) networks such as the Internet. Additionally, it must operate with a minimum of a priori information about potential attackers and their methods.

Digital Signal Processing (DSP) is in wide use in many applications of electrical and computer engineering, including modern control systems, sensors and communications. Using modern statistical methods, time-series data is collected, filtered, correlated, and analyzed for many purposes including event detection. The recognition and characterization of computer network protocols has been among the applications successfully handled by DSP. We illustrated these methods with selected examples.

A determined attacker effects his intrusion through a sequence of activities to achieve a desired result. Each of these actions, viewed by itself may be a normal legitimate activity. It is only when this sequence is assembled that the intruder's hostile objectives become clear. The core of the intrusion detection problem is how to recognize this behavior. We described a new criteria based upon detection of the intruder's control-loop. In general, a control-loop is characterized by both observability (surveillance) in conjunction with controllability (process launches and system calls). We illustrated how to quantify this control and how to apply the resulting measure to discriminate intruders from normal activities.

Finally we described the use of Control-Loop detection in an intrusion detection system and describe its benefits over alternative technologies.