An Entropy-Based Architecture for Intrusion Detection in LAN Traffic

An Entropy-Based Architecture for Intrusion Detection in LAN Traffic

P. Velarde-Alvarado (Autonomous University of Nayarit, Mexico), A. Martinez-Herrera (ITESM-Campus Monterrey, Mexico), C. Vargas-Rosales (ITESM-Campus Monterrey, Mexico) and D. Torres-Roman (Center for Investigation and Advanced Studies, Mexico)
DOI: 10.4018/978-1-60960-836-1.ch004

Abstract

Information security has become a primary concern in enterprise and government networks. In this respect, Network-based Intrusion Detection System (NIDS) is a critical component of an organization’s security strategy. This chapter is the result of the effort to design an Anomaly-based Network Intrusion Detection System (A-NIDS), which is capable of detecting network attacks using entropy-based behavioral traffic profiles. These profiles are used as a baseline to define the normal behavior of certain traffic features. The Method of Remaining Elements (MRE) is the core for the task of traffic profiling. In this method, a new measure of uncertainty called Proportional Uncertainty (PU) is proposed, which provides an important characteristic: the exposure of anomalies for those traffic slots related to anomalous behavior. Moreover, PU increases the sensitivity for early detection, and allows detection of a wide range of attacks with respect to naïve entropy estimation. The performance evaluation of the proposed architecture was accomplished through MIT-DARPA dataset and also on an academic LAN by implementing real attacks. The results show that this architecture is effective in the early detection of intrusions, as well as some attacks designed to bypass detection measures.
Chapter Preview
Top

Introduction

Nowadays, network infrastructures are crucial to the internal and external activities of an organization. It is vital that sensitive information and network assets that are handled through these networks should be protected from attacks by illegal users and malicious hackers. Examples of sensitive information include proprietary, privacy, financial, or classified government information. Therefore, it is important that an organization implements rigorous security strategies that meet the requirements of mission-critical applications. Mission-critical applications are those where failure of execution, or faulty execution, may have catastrophic results. In business environments, information systems managers would consider systems where failure could lead to loss of money (e.g. Banking & Telecom), serious inability to conduct business (e.g. online investment systems or accounting systems), or serious operational chaos (e.g. electronic trading systems or electronic data interchange systems), as being mission-critical.

According to the annual Computer Crime and Security Surveys, conducted by the Computer Security Institute (CSI, 2009), it has been observed a tendency that security threats have not only grown in volume, but also in sophistication and damage potential. In this context, conventional security measures have only been able to provide limited protection. Specifically, firewalls often cannot protect against an insider attack. They also cannot protect connections that do not go through the firewall, e.g. when someone connects to the Internet through a desktop modem and telephone. In essence, a firewall simply blocks traffic by enforcing access control policies. On the other hand, the rules used by Signature-based NIDS (S-NIDS) such as Snort (Roesch, 1999), can be created only if a new type of intrusion has been identified and analyzed. By the time this process has been completed, the attack could have time to disperse or be modified by its creators. Finally, in a traditional Anomaly-based NIDS (A-NIDS) a profile can be built around certain traffic features, for instance in terms of a threshold for the maximum volume of traffic. However, a clever attack may infiltrate if the volume of malign traffic remains within the threshold level. In such a case, the overall volume of traffic into the network looks normal. Respond by lowering the threshold for this type of attack can lead to a high false positives rate.

Complete Chapter List

Search this Book:
Reset