Tarek Abbes

Protocol analysis in intrusion detection using decision tree

Network based intrusion detection are the most deployed IDS. They frequently rely on signature matching detection method and focus on the security of low level network protocols. Because of the large number of false positives from one side, and the incapacity to detect some attack types from another side, IDS must allow more interest to the monitoring of application level protocols. We propose in this paper a combination of pattern matching and protocol analysis approaches. While the first method of detection relies on a multipattern matching strategy, the second one benefits from an efficient decision tree adaptive to the network traffic characteristics.

An inference system for detecting firewall filtering rules anomalies

Firewalls are crucial equipments for protecting private networks. However by only deploying firewalls, administrators are far from securing their enterprises networks. Bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicting filtering rules lead to block legitimate traffic or to accept unwanted packets. We present in this paper a new classification method to detect overlaps between packet filters within one firewall. Our method processes a set of filtering rules that have a variable number of fields. A field has a range of values, represented by an interval or a variable length bit string, that may intersect with the corresponding field ranges of other rules. In order to detect overlaps we organize the conditions of each filtering rule in such a way that we can quickly separate non overlapping rules. This strategy allows us to avoid considering the entire rule header in many cases.

Misbehavior Detection Using Implicit Trust Relations in the AODV Routing Protocol

Trust is one of the basic assumptions that we use in every day life. In ad hoc networks, routing protocols implement trust implicitly between the nodes of the network. Unfortunately, the implicit trust relations are not used by nodes whereas the attacks on ad hoc routing protocols precisely lead to the violation of at least one of these trust relations.In this paper, we demonstrate that a node can use these implicit trust relations to reason on neighbor behaviors to detect malicious nodes. We first formalize implicit trust relations of the AODV protocol. Then, we show that, given these relations, a node is able to reason on the actions performed by its neighbors and so deduce information about their knowledge. Finally, we discuss how these relations and the deduced information can be used to supervise the neighbor behavior and detect malicious nodes.

Honeypot router for routing protocols protection

Routing protocols are essential for interconnecting networks; however they may enclose several vulnerabilities that can be exploited by malicious attackers. For example, an attacker may send forged packets to a router with the intention of changing or corrupting the routing table, which in turn can reduce the network connectivity and degrade the router functionalities. To prevent and detect such attacks, several security techniques are available like firewall, authentication mechanisms and intrusion detection system (IDS). Nevertheless these security methods encounter some problems, especially when dealing with new attacks. Relying on additional security principles seems to be important to well protect network connectivity offered by routers. In this paper, we propose using honeypot to protect routing protocols. Honeypot is particularly useful to attract attackers, driving them away real routers and allowing the administrators to be aware about intrusion attempts on their networks and the employed techniques that can be recent. Our solution (Honeypot Router) is to deploy a honeypot playing the role of a router. The honeypot is based on routing software called Quagga and other tools for traffic capture and analysis. The entire solution supervises all routing traffic, so it detects and studies new attacks against routing protocols (RIP, OSPF and BGP).

Experimental analysis of attacks against web services and countermeasures

Web services are increasingly becoming an integral part of next-generation web applications. A Web service is defined as a software system designed to support interoperable machine-to-machine interaction over a network based on a set of XML standards. This new architecture and set of protocols brings new security challenges such as confidentiality, integrity, anonymity, authentication, authorization and availability of requested services. Vulnerabilities in Web services are very dangerous since they can be used by attackers to damage the companys information system and steal confidential data. In this paper, we carry out an experimental analysis of attacks against Web services. We demonstrate experimentally three types of attacks and we reveal dangerous techniques and tools used by attackers that administrators have to prevent. Moreover, we study the effects of these attacks by observing their impact on Information System data and resources. Finally, we propose general countermeasures to prevent and mitigate such attacks.

Data analyzer based on data mining for Honeypot Router

Honeypot is an effective security tool, which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques. To study these attacks, the honeypot must capture and log large amounts of data which are very difficult to process manually. So, the analysis of these logs has become a very difficult and time consuming task. To resolve this problem, several researchers have proposed the use of data mining techniques in order to classify logged traffic and extract useful information. In this paper, we present a data analysis tool for our Honeypot Router. This tool is based on data mining clustering. The main idea is to extract useful features from data captured by the Honeypot Router. These data will be then clustered by using the DBSCAN clustering algorithm in order to classify the captured packets and extract those that are suspicious. Suspicious packets will be then verified by a human expert. This solution is very useful to detect novel routing attacks.

On the fly pattern matching for intrusion detection with Snort

Intrusion Detection Systems are becoming necessary tools for system administrators to protect their network. However they find more and more difficulties with high speed networks. To enhance their capacity and deal with evasion techniques, frequently used by hackers, we have introduced a new method to filter the network traffic. The detection method, while being stateful, processes each packet as soon as it is received. We have employed this strategy after a new classification of detection rules. Then, we have used efficient multisearch methods and suitable datastructure for signatures. The method has been successfully implemented as an extension of the Intrusion Detection System “Snort”.RésuméLes systèmes de détection d’intrusions sont devenus indispensables pour les administrateurs afin de protéger leurs réseaux. Cependant, ces outils présentent des lacunes pour traiter le haut débit et mener une analyse précise du contenu des paquets. Nous proposons dans cet article une nouvelle approche pour filtrer le trafic réseau. Cette méthode est capable de traiter chaque paquet dès sa réception tout en mémorisant l’état des connexions. Nous nous appuyons sur une organisation intelligente des règles de détection et sur des algorithmes de recherche de plusieurs signatures. Cette méthodologie a été implantée avec succès dans le système de détection d’intrusions «Snort».

Detection of firewall configuration errors with updatable tree

The fundamental goals of security policy are to allow uninterrupted access to the network resources for authenticated users and to deny access to unauthenticated users. For this purpose, firewalls are frequently deployed in every size network. However, bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicted filtering rules lead to block legitimate traffic and to accept unwanted packets. This fact troubles administrators who have to insert and delete filtering rules in a huge configuration file. We propose in this paper a quick method for managing a firewall configuration file. We represent the set of filtering rules by a firewall anomaly tree (FAT). Then, an administrator can update the FAT by inserting and deleting some filtering rules. The FAT modification automatically reveals emerged anomalies and helps the administrator to find the adequate position for a new added filtering rule. All the algorithms presented in the paper have been implemented, and computer experiments show the usefulness of updating the FAT data structure in order to quickly detect anomalies when dealing with a huge firewall configuration file.

A Traffic Classification Algorithm for Intrusion Detection

We propose in this paper a new intrusion detection method for supporting high speed traffic. As in firewalls and routers, we rely on packet classification to specialize the task of several network intrusions detection systems (NIDSs). We build several traffic classes regarding the network configuration and the traffic properties. Then we consider the NIDS characteristics to select for each class the suitable intrusion detection method. Our idea offers several advantages such as load balancing, fault tolerance and attack prevention. We express our traffic classification method by means of traffic division rules. Then we adequately construct the paths of these rules to reduce the overlapping cases. We transform the rule paths in a prefix trie that we complete by failure links to finally get a directed acyclic graph (DAG). We believe that our classification method is useful for other problems such as firewalling, routing and billing.

A Model based on Parallel Intrusion Detection Systems for High Speed Networking Security

During this time when the Internet provides essential communication between an infinite numbers of people and is being increasingly used as a tool for commerce, security becomes a tremendously important issue to deal with. It is also important to note that, recently, the intrusion detection systems (IDS) have been unable to provide an effective security mechanism for defending high speed networks. Existing networks intrusion detection systems (NIDS) can barely keep up with bandwidths of some hundred Mbps whereas, nowadays, the network speed presses forward 10 Gbps. So in order to protect high speed networks, we propose a new approach aiming at accelerating the intrusion detection operation. The approach is based on three main steps: traffic classification, load balancing and a high availability mechanism. This paper describes the above mentioned approaches and presents an experimental evaluation of their effectiveness