08-16-2017, 09:20 PM
[attachment=3720]
DISTRIBUTED IDS AS FORENSIC COMPUTING AND ANALYSIS TOOL: A
PRACTICAL APPROACH
Presented By:
Rizwan Ahmed 1 M.S. Khatib 2
1 Department of Computer Science & Engineering, Anjuman Collage of Engineering & Technology,
Nagpur (M.S.), India,
2 Department of Computer Science & Engineering, Anjuman Collage of Engineering &Technology,
Nagpur (M.S.), India
ABSTRACT
Intrusion Detection System (IDS) is now considered as standard requirement in building network security infrastructure. The concepts of intrusion detection and forensic computing often are not considered together, even though the IDS is the most likely candidate for gathering information useful in tracing and analyzing a network-based computer security incident. From the standpoint of the security practitioner, the primary use for the IDS is prevention, detection and response. To extend that to include forensic analysis of the event implies going outside the parameters and functionalities of most IDS.
Contrary to that belief, however, is the obvious concept that, when an event occurs, there is a high probability that the IDS will be the only thing watching the network in significant enough detail to capture the event and any precursor events in their entirety. Thus, the application of the output of IDS to the investigation and potential prosecution of an attack against computers on a network is of interest both to practitioners and to researchers.
This paper will discuss the details of IDS in the context of their use as investigative tools, fundamentals of forensic computer analysis and network forensic analysis and some potential methods of combining techniques to enable investigation and prosecution of Computer crime. We finally propose to incorporate all the findings in our Distributed IDS, which is developed on top of snort.
1. INTRODUCTION
With the increasing complexity and geographical distribution of Computer networks, including the Internet, the possibilities and opportunities are limitless; unfortunately, so too are the risks and chances of Computer and Cyber Crimes. Annual reports from
Computer Emergency Response Team (CERT) indicate a significant increase in number of computer security incidents each year [19].
As a result, there exists an ever increasing need to ensure that the laws that used to govern the old paper world evolve toward the challenges of a new computer dominated environment. Information confidentiality and integrity are both subject to greater vulnerabilities within the electronic medium of today than they ever were in a paper based society.
It is therefore a foregone conclusion that computer security will need to keep in step with the unstoppable computerization of the world's knowledge, information and operations. It is important that security procedures particularly on systems inhabiting security sensitive environments must not only encompass the protection of information against unauthorized disclosure, modification or even destruction, but also maintain the integrity of the computing system and address the ever increasing problem of computer misuse.
Today, computer security can be roughly divided into two areas. These are basically those procedures that attempt to prevent security breeches, and those that attempt to detect security violations. The role of both these areas in an ultimate model of system security is clear. All the modern IDS have both detection and prevention mechanisms. However there is an additional aspect to system security, an area often termed Forensic Computing. It runs closely and often in parallel with the other two in terms of providing a greater depth to the overall scope of system security and response. Forensics has often been defined in terms of software, however it can often be extended to include the hardware and the executing/logging facilities of a system. Computer forensics can therefore be roughly defined as the process of examining the remains in order to obtain evidence about the factors involved in a crime or violation. Computer crime arising from computer misuse often manifests itself as anomalous behavior, both of individual system users and of the system as a whole. Although improvements to operating system security continue, the available computer security features are still not good enough to detect many anomalous behavior patterns by system users. Current computer security systems do not generally protect against [3]:
? Intruders posing as legitimate system users ? A highly privileged user behaving destructively
? A legitimate user taking advantage of mistakes in the configuration of system security measures or other system vulnerabilities
? Trojan horses or executable programs that have been altered to perform some new improper function
Any of these occurrences may prove to be a suspect vulnerability that may or may not jeopardize the security of a system. However at its worst any one or more of these may serve as a launching point for destructive criminal behavior on the system. Therefore system anomalies can be viewed as symptoms that may herald criminal activity. It is important to note that crime committed within the electronic environment has the added attraction of a natural anonymity often afforded the perpetrator. Tracing the crime back to the criminal is generally an extremely difficult task. Should a system or user behavioral anomaly be a launching site for criminal activities, it is apparent that as much information as possible should be gathered about the act. This is not only for issues concerning the current security of the system but also in case the need arises for evidence after the fact and even for future reference.
IDS have been explored for many years in an attempt to inject some artificial intelligence to the task of identifying any anomalies that may surface in a system. Many are based on extensive logging, and aim to collect as much knowledge/information as possible about system users.
Intrusions are inherently difficult to detect due to the great number of varying methods that are often use to affect the task. Apart from being able to exploit known architectural or operating system weaknesses, intruders may also exploit flaws within the fixes to these known weaknesses. Furthermore, a fix to a flaw in a system may also expose other existing vulnerabilities that may have been initially overlooked. The important underlying point is that the vulnerability state of a system is in a continual state of flux [23]. Therefore when the first, often fallible, preventive line of system defense is breached, the role of the intrusion detection mechanism comes clearly into play to gather forensic evidence for future course of actions. This paper tries to explore the role of distributed IDS as Forensic Computing and Analysis tool.
2. BACKGROUND OF IDS
Among all security issues, intrusion is the most critical and widespread. Intrusion can be defined as an attempt to compromise, or otherwise cause harm, to a network. IDS is the process of monitoring the events occurring in a computer system, or network, and analyzing them for signs of intrusion. Historically, the intrusion detection systems dates back to 1980 ([4]) and became a well- established research area after the introduction of the model of [5] and the prototypes presented in [6] and [7].
IDS can be classified into Host-based, Network-based & Application based IDS. There is huge amount of research being conducted to make IDS adaptable to new attacks using various techniques.
We have also developed an adaptive distributed ID using mobile agents and distributed sensors on top of Snort [1, 2].
3. FORENSIC COMPUTING: AN
OVERVIEW
Forensic Science has been defined as- "any science used for the purposes of the law [providing] impartial scientific evidence for use in the courts of law, and in a criminal investigation and trial." [8]
Network forensics has been defined as- "the capture, recording, and analysis of network events in order to
discover the source of security attacks or other problem incidents." [9]
Forensic co mputing can be defined as- "the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived fro m digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations." [10]
These activities are undertaken in the course of a computer forensic investigation of a perceived or actual attack on computer resources. The primary goals of the computer forensic analysis process are:
? To help participants determine what undesirable events occurred, if any.
? To gather, process, store, and preserve evidence to support the prosecution of the culprit(s), if desired.
? To use that knowledge to prevent future occurrences.
? To determine the motivation and intent of the attackers.
Forensic computing science is different from the traditional forensic disciplines. To begin, the tools and techniques [20, 21, 22] required are easily available to anyone seeking to conduct a computer forensic investigation. In contrast to traditional forensic analysis, there is commonly the requirement that computer examinations are performed at virtually any physical location, not just in a controlled environment. Rather than producing conclusions requiring expert interpretation, computer forensic science produces direct information and data that may play a significant role in the apprehension or conviction of cyber criminals .
It is also noted that, the evolution of digital forensics has proceeded from ad hoc tools and techniques, rather than from the scientific community, where many of the other traditional forensic sciences have originated [11]. This is problematic because evidence must be obtained using methods that are proven to reliably extract and analyze evidence without bias or modification. The standardization of various forensic computing tools and techniques is discussed in [12, 13].
4. COMBINING FORENSICS AND IDS
There are various guidelines which are discussed in [14] that should be taken care of while doing investigation. The first thing which is available for analysis when any incidence occurs is IDS and which can be used substantially to collect the evidence. But, current IDS actually are not fully exploiting this parameter to the extent it should be.
We are proposing an Adaptive distributed IDS using mobile agents and distributed sensors, that will be adaptable to attacks using evolutionary techniques, and is under development as proposed in [1,2].
We would like to incorporate a new concept of Case-Relevance- "the property of any piece of information, which is used to measure its ability to answer the investigative "who, what, where, when, why and how" questions in a criminal investigation", which is described in [15], in our system. We propose to incorporate the concept using Case relevance information extraction, as described in the model as shown in Figure 1.
The Automatic Evidence Extraction Module is the core of the Case-Relevance Information Extraction scenario. The paper [15] proposed hybrid architecture consisting of Information Retrieval (IR), Information Extraction (IE) and computer intelligence function as shown in Figure 2.
4.1 Information Retrieval Block.
The Seed Keywords are sent to the Query Expansion & Refinement Module. A predetermined concept-based thesaurus adds synonyms to the original query automatically. The thesaurus categorizes the patterns by their semantic concept and is very effective to control the number of query terms and improve the precision. The thesaurus is built and maintained by authorized experts from the previous case documents and other sources such as WordNet . Then the query terms are sent to a Multi-Pattern Searching Engine. The previous expansion step may increase the number of keywords dramatically and thus add the payload of the searching engine. A fast multiple patterns searching algorithm is preferred, and hardware-based architecture attracts enough attention by its intrinsic parallelismand speed advantage.
Figure 2: Automatic Evidence Extraction Module
4.2 Computer Intelligence Block.
A Case Relevant Judgment module scans the target data, makes a decision on the given Case Profile, and returns data ranked by their degrees of Case-Relevance.
4.3 Information Extraction Block.
The IE block can be divided into two parts: Template Building and Keyword Extraction. In the Template Build ing part, the event templates are automatically created based on the given Case Profile, and will be used in the Keyword Extraction part. This Keyword Extraction part has three functional modules. The first one is a semantic-level document filter, which permits the identification of relationships rather than the purely Boolean. Hence, topics and documents can be matched not only by whether the specified keywords occur in both, but by whether they occur in the same (or similar) relationship in both topic and document. The non-relevant documents are abandoned even if they have the same keywords. The second one is a keywords extraction module, which fills the Event Templates with the key information that may be used as new query terms, e.g. personal name, time and locations. The third module is a semantic tagger. It is based on the semantic-level analysis to disambiguate the concepts of the words or phrases in the given context and add corresponding tags to the selected keywords. The new keywords list will be sent to the IR block to start the next round of search. The added tags can be processed by the Concept-based thesaurus to produce accurate query terms.
We propose to build an Expert system on the basis of model as described above so as to enable our IDS for Forensic Computing to gather digital evidence. We also want to incorporate the digital evidence collection techniques described in [16, 17, 18] in our system. We will be implementing this system on top of our system which uses C# as frondend & case database will be implemented using SQL. This will make our approach better adaptable with features to investigate and analyze if any intrusion occurs.
5. CONCLUSION AND FUTURE WORK
Current intrusion detection systems (IDS) and intrusion response systems (IRS) have a limited ability to adapt their detection and response capabilities to increasingly sophisticated modern attacks. We have proposed architecture for Distributed Intrusion Detection System based on mobile agents. An expansion of the distributed IDS seems to be possible using response and immunity components for better adaptability for new variants of attacks and in criminal investigation using Forensic computing techniques.
This paper proposes a method to bind computer intelligence to the current computer forensic framework, particularly to the data analysis phase using IDS framework. The proposed framework will demonstrate the benefits of computer intelligence technologies: automatic evidence extraction and knowledge reusability, resulting in great savings on human resources. This distributed system will incorporate better incidence response and forensic analysis on the basis of which it will have better adaptability to future attacks.
REFERENCES
[1] Rizwan Ahmed, Kamlesh Kelwade, M. S.Khatib.Distributed Intrusion Detection System: a Mobile agent & Distributed sensors based approach. NCDC 2006 proceedings Pune, India.
[2] Rizwan Ahmed, Kamlesh Kelwade, M. S. Khatib. Adaptive Distributed Intrusion Detection System: a Mobile agent & Distributed sensors based approach. 41st Annual National Convention of Computer Society of India CSI-2006 on Affordable Computing. Kolkata, India (*Selected for presentation on November 23-25, 2006).
[3] H.S. Vaccaro and G.E. Liepins, "Detection of Anomalous Computer Session Activity", 1989IEE Computer Society Symposium on Securityand Privacy, May 1989
[4] J. P. Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P Anderson Co., Fort Washington, PA,
Arpil 1980.
[5] D. E. Denning. An intrusion-detection model. In proceeding of the IEE Symposium on security and Privacy, pages 118-131, April 1986.
[6] D. S. Bauer and M. E. Koblentz. NIDX - an expert system for real-time network intrusion detection. In Proceeding of the Computer Networking Symposium, pages 98-106, Washington, DC, April
1988.
[7] R. Schoonderwoerd, O. Holland, and J. Bruten. Ant-like agents for load balancing in telecommunications networks. In Proceedings of the first International Conference on Autonomous
Agents, 1997.
[8] Forensic Science White Paper.
library.thinkquestTQ0312020/whatisforens.ht m (Accessed in September 12, 2006).
[9] Marcus Ranum. Network Forensics Whitepaper. http://searchnetworking.techtarget.com (Accessed
in September 12, 2006).
[10] Palmer, Gary. A road map for digital forensics research - report from the first Digital Forensics Research Workshop (DFRWS). Technical Report
DTR-T001-01 Final, Air Force Research
Laboratory, Rome Research Site, 2001
[11] Palmer, Gary. "Forensic Analysis in a Digital
World." 2002.
[12] Farmer, D., Venema, W. "Computer Forensics
Analysis Class Handouts."
http://fishforensics/class.html. (Accessed in September 12, 2006).
[13] National Institute of Justice. (2002). Results from Tools and Technology Working Group, Governors Summit on Cybercrime and Cyberterrorism, Princeton NJ
[14] Joel Weise and Brad Powell, Using Computer Forensics when investigating system attacks. 2005 http://sunblueprints (Accessed in
September 12, 2006).
[15] Gong Rubin, Chan Kai Yu. Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework. International Journal of Digital Evidence 2005
[16] Peter Sommer. Intrusion Detection Systems as Evidence. First International Workshop on the Recent Advances in Intrusion Detection. raid-symposiumraid98/Prog_RAID98/ Full_Papers/ Sommer_text.pdf (Accessed in
September 12, 2006).
[17] Srinivas Mukkamala, Andrew Sung and Ajith Abraham. Cyber Security Challenges: Designing Efficient Intrusion Detection Systems and AntivirusTools.softcomputingraochapter .pdf (Accessed in September 12, 2006).
[18] Srinivas Mukkamala, Andrew H. Sung. Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques. icasa.nmt.edu/Content/publication/identifyin g.pdf (Accessed in September 12, 2006).
[19] CERT/CC Statistics 1988-2006.
http://cert stats/cert_stats.html.
(Accessed in September 12, 2006).
[20] Alec Yasinsac, Yanet Manzano. Honeytraps, A Network Forensic Tool
[21] Brian Carrier. Open Source Digital Forensics
Tools. digital-evidence
papers/opensrc_legal.pdf (Accessed in September
12, 2006).
[22] Kulesh Shanmugasundaram, Nasir Memon,
Anubhav Savant, and Herve Bronnimann. ForNet:
A Distributed Forensics Network acm.org
/src/ subpages/ papers/
Grand%20Finals%202005/Kulesh.pdf (Accessed
in September 12, 2006). [23] M. Crosbiem, G. Spafford,.COAST Group. Active
Defense of a Computer System Using Autonomous Agents, Technical Report No. 95-008, February
1995
AUTHOR PROFILE
Rizwan Ahmed
is the Faculty with Department of Computer Science & Engineering, Anjuman Collage of Engineering and Technology, Nagpur. He is having vast experience of industry as well as teaching with reputed companies and institutes. He also serves as independent software developer and security expert. His specific areas of research interests include Computer Security, Digital forensics, e-Learning and e-governance. He received his M.S. in Software Systems from BITS, Pilani and B.E. in Computer Science from Amravati University. He has presented 15 papers in National and International journals and conferences. He also had attended many National and International seminar and conferences as a delegate.
M. S. Khatib
is the Faculty with Department of Computer Science & Engineering, Anjuman Collage of Engineering and Technology , Nagpur. His specific areas of research interests include Computer Security, Digital Signal Processing and e-governance. He received his M.E. in Computer Science and B.E. in Computer Science from Amravati University. He had attended and presented papers at many National and International seminar and conferences.