An Entropy-Based Architecture for Intrusion Detection in LAN Traffic

Introduction

Nowadays, network infrastructures are crucial to the internal and external activities of an organization. It is vital that sensitive information and network assets that are handled through these networks should be protected from attacks by illegal users and malicious hackers. Examples of sensitive information include proprietary, privacy, financial, or classified government information. Therefore, it is important that an organization implements rigorous security strategies that meet the requirements of mission-critical applications. Mission-critical applications are those where failure of execution, or faulty execution, may have catastrophic results. In business environments, information systems managers would consider systems where failure could lead to loss of money (e.g. Banking & Telecom), serious inability to conduct business (e.g. online investment systems or accounting systems), or serious operational chaos (e.g. electronic trading systems or electronic data interchange systems), as being mission-critical.

According to the annual Computer Crime and Security Surveys, conducted by the Computer Security Institute (CSI, 2009), it has been observed a tendency that security threats have not only grown in volume, but also in sophistication and damage potential. In this context, conventional security measures have only been able to provide limited protection. Specifically, firewalls often cannot protect against an insider attack. They also cannot protect connections that do not go through the firewall, e.g. when someone connects to the Internet through a desktop modem and telephone. In essence, a firewall simply blocks traffic by enforcing access control policies. On the other hand, the rules used by Signature-based NIDS (S-NIDS) such as Snort (Roesch, 1999), can be created only if a new type of intrusion has been identified and analyzed. By the time this process has been completed, the attack could have time to disperse or be modified by its creators. Finally, in a traditional Anomaly-based NIDS (A-NIDS) a profile can be built around certain traffic features, for instance in terms of a threshold for the maximum volume of traffic. However, a clever attack may infiltrate if the volume of malign traffic remains within the threshold level. In such a case, the overall volume of traffic into the network looks normal. Respond by lowering the threshold for this type of attack can lead to a high false positives rate.